Skip to content

Unauthenticated Broken Authentication Vulnerability in WordP...#1421

Merged
carlospolop merged 2 commits intomasterfrom
update_Unauthenticated_Broken_Authentication_Vulnerabilit_20250919_123745
Sep 30, 2025
Merged

Unauthenticated Broken Authentication Vulnerability in WordP...#1421
carlospolop merged 2 commits intomasterfrom
update_Unauthenticated_Broken_Authentication_Vulnerabilit_20250919_123745

Conversation

@carlospolop
Copy link
Copy Markdown
Collaborator

@carlospolop carlospolop commented Sep 19, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Product: Jobmonster (premium WordPress theme). ~5,000+ sales.
Vulnerability: Unauthenticated broken authentication in Social Login handler (CVE-2025-54738). Severity: CVSS 9.8 (Critical).
Affected/Fixed: Observed in 4.7.9 (per advisory slug); fixed in 4.8.0 on August 8, 2025. Update immediately.

Where and why it breaks: The Social L...

🔧 Technical Details

Abusing social-login fallbacks in WordPress AJAX: Identify unauthenticated admin-ajax.php actions for social login that (1) lack nonce/capability checks and (2) accept a client-supplied identifier (e.g., id) as email when provider data is missing/unsupported. Force the code into its default branch with using set to an invalid value, supply id=<victim-email>, and the handler may call wp_set_auth_cookie(), creating a logged-in session for that user. This technique yields account takeover wherever social-login handlers trust POSTed identifiers without validating provider responses.

🤖 Agent Actions

I analyzed the blog and the HackTricks repository structure and found that the best place to document this technique is the existing WordPress page. HackTricks already has a “WordPress Plugins Pentest” section with similar unauthenticated AJAX and authentication bypass techniques (e.g., cookie-trusted user switching, trusted header impersonation). However, it didn’t specifically cover Social Login handlers abused via admin-ajax.php falling back to a client-supplied email and calling wp_set_auth_cookie(). I added a new section detailing this technique, including the vulnerable pattern, PoC requests, detection, and hardening guidance. I also added the blog to the references.

Changes made:

  • Updated: src/network-services-pentesting/pentesting-web/wordpress.md
    • Added section: “Unauthenticated account takeover via Social Login AJAX fallback (Jobmonster Theme <= 4.7.9)” explaining:
      • The flawed AJAX logic pattern using a provider switch with an insecure fallback to $_POST['id'] and a subsequent wp_set_auth_cookie()
      • Unauthenticated exploitation via /wp-admin/admin-ajax.php with bogus provider and id=<victim_email>
      • Expected response and Set-Cookie indicating login
      • How to locate the action name in theme/plugin code
      • Detection ideas and hardening steps (nonce, capability checks, removing fallback, validating OAuth/OIDC provider responses)
      • Note on the fix (removing fallback in 4.8.0)
    • Added the Patchstack advisory URL to the References.

No new files were created because the existing WordPress page is the appropriate place for this content.

References added:

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: Unauthenticated Broken Authentication Vulnerability…
9b8edf1 
… in WordP...

- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Copy Markdown
Collaborator Author

carlospolop commented Sep 19, 2025

🔗 Additional Context

Original Blog Post: https://patchstack.com/articles/unauthenticated-broken-authentication-vulnerability-in-wordpress-jobmonster-theme/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> WordPress Security -> admin-ajax.php unauthenticated actions / Social Login authentication bypass (wp_set_auth_cookie abuse)".

Repository Maintenance:

  • MD Files Formatting: 876 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@github-actions github-actions Bot force-pushed the master branch 6 times, most recently from 88a07c5 to 73b307c Compare September 29, 2025 22:21
@carlospolop
Copy link
Copy Markdown
Collaborator Author

carlospolop commented Sep 30, 2025

merge

@carlospolop carlospolop merged commit 98272ba into master Sep 30, 2025
@carlospolop carlospolop deleted the update_Unauthenticated_Broken_Authentication_Vulnerabilit_20250919_123745 branch September 30, 2025 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop