The vulnerabilities of the `handle_login_request()` and `handle_auth_request()` functions of the Web3 plugin – a crypto wallet login & NFT token-gating system for WordPress website content management systems – allow attackers to bypass existing security restrictions.

🗓️ 06 Feb 2024 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 2 Views

Vulnerabilities in Web3 plugin login and authentication handlers allow security bypass via crafted post requests on WordPress.

Reporter	Title	Published	Views	Family All 14
GithubExploit	Exploit for Incorrect Authorization in Miniorange Web3_-_Crypto_Wallet_Login_\&_Nft_Token_Gating	31 Jan 202416:58	–	githubexploit
Circl	CVE-2023-6036	1 Feb 202411:03	–	circl
CNNVD	WordPress Plugin Web3 Security Vulnerability	12 Feb 202400:00	–	cnnvd
CVE	CVE-2023-6036	12 Feb 202416:06	–	cve
Cvelist	CVE-2023-6036 Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass	12 Feb 202416:06	–	cvelist
NVD	CVE-2023-6036	12 Feb 202416:15	–	nvd
OSV	CVE-2023-6036	12 Feb 202416:15	–	osv
Patchstack	WordPress Web3 – Crypto wallet Login & NFT token gating Plugin < 3.0.0 is vulnerable to Broken Authentication	13 Feb 202400:00	–	patchstack
Prion	Authentication flaw	12 Feb 202416:15	–	prion
Positive Technologies	PT-2024-1507 · WordPress · Web3	17 Jan 202400:00	–	ptsecurity

Vulners

Node

miniorange_security_software_pvt web3_-_crypto_wallet_login_&_nft_token_gatingRange<3.0.0

Source	Link
wpscan	www.wpscan.com/vulnerability/7f30ab20-805b-422c-a9a5-21d39c570ee4/
github	www.github.com/pctripsesp/CVE-2023-6036
web	www.web.nvd.nist.gov/view/vuln/detail

06 Feb 2024 00:00Current

5.5Medium risk

Vulners AI Score5.5

CVSS 38.8

CVSS 210

EPSS0.01773

Web3 plugin login handler authentication handler WordPress security bypass post requests