WordPress UserPro 4.6.17 Authentication Bypass

WordPress Userpro plugin versions 4.9.17 and below suffer from an authentication bypass vulnerability.


MD5 | 3caf55475144701c51ba9e65a7535575

# Exploit Title: Userpro a WordPress Plugin a Authentication Bypass
# Google Dork: inurl:/plugins/userpro
# Date: 11.04.2017
# Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)
# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Version: <= 4.6.17
# Tested on: Wordpress 4.8.3
# CVE : requested, not assigned yet.

Description
================================================================================
The userpro plugin has the ability to bypass login authentication for the user
'admin'. If the site does not use the standard username 'admin' it is not affected.

PoC
================================================================================
1 - Google Dork inurl:/plugins/userpro

2 - Browse to a site that has the userpro plugin installed.

3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true

4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in
will full administrator access.
================================================================================

10/25/2017 a Wordfence notified of issue by Iain Hadgraft.
10/26/2017 a Vendor resolved the issue in the plugin.
11/04/2017 - Disclosure.


Related Posts