WordPress UserPro 4.6.17 Authentication Bypass

WordPress Userpro plugin versions 4.9.17 and below suffer from an authentication bypass vulnerability.

MD5 | 3caf55475144701c51ba9e65a7535575

# Exploit Title: Userpro a WordPress Plugin a Authentication Bypass
# Google Dork: inurl:/plugins/userpro
# Date: 11.04.2017
# Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)
# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Version: <= 4.6.17
# Tested on: Wordpress 4.8.3
# CVE : requested, not assigned yet.

The userpro plugin has the ability to bypass login authentication for the user
'admin'. If the site does not use the standard username 'admin' it is not affected.

1 - Google Dork inurl:/plugins/userpro

2 - Browse to a site that has the userpro plugin installed.

3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true

4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in
will full administrator access.

10/25/2017 a Wordfence notified of issue by Iain Hadgraft.
10/26/2017 a Vendor resolved the issue in the plugin.
11/04/2017 - Disclosure.

Related Posts