POC about Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass Wordpress plugin# CVE-2023-6036
POC about Wordpress plugin _Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass_
This vulnerability is about authentication bypass due incorrect authentication checking in the ‘handle_login_request’ function and ‘handle_auth_request' function
## Vulnerability
I have divided login flow in 3 steps, that are actually 3 different POST when login through our web3 wallet.
### 1. handle_login_request
With this POST request, anybody can retrieve an existing user nonce, so you can get admin user’s nonce just by knowing his username or wallet, replacing param “address” with it’s username and making the POST request.
Then, you can drop the second login POST, as this only checks if the signature of the nonce is correct or not, but it’s issolated from the login flow.
### 2. handle_auth_request
In the 3 step, you can make the login just by sending:
• target username
• target nonce (from step 1)
• public wp nonce
### 3. hidden_form_data
So basically don’t check that the user is trying to login in the 3 step is the same user that make the signature in step 2; and anybody can bypass the auth login and pontetially do it as an admin user.
## References
https://wpscan.com/vulnerability/7f30ab20-805b-422c-a9a5-21d39c570ee4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6036
https://www.udemy.com/course/0-day-wordpress/?referralCode=7039562B316447367B85
[4.0K] /data/pocs/ddd67221b53dac34b1ca78065cba178ae354f97f
├── [2.0K] CVE-2023-6036.py
├── [4.0K] img
│ ├── [194K] 1.png
│ ├── [ 96K] 2.png
│ ├── [ 91K] 3.png
│ ├── [361K] 4.png
│ ├── [151K] 5.png
│ └── [574K] 6.png
├── [ 756] nuclei_template.yaml
└── [1.5K] README.md
1 directory, 9 files