## https://sploitus.com/exploit?id=0065FFFA-21BF-58D9-A017-7A3298D3F5F0
# CVE-2023-6036
POC about Wordpress plugin _Web3 â Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass_
This vulnerability is about authentication bypass due incorrect authentication checking in the âhandle_login_requestâ function and âhandle_auth_request' function
## Vulnerability
I have divided login flow in 3 steps, that are actually 3 different POST when login through our web3 wallet.
### 1. handle_login_request
With this POST request, anybody can retrieve an existing user nonce, so you can get admin userâs nonce just by knowing his username or wallet, replacing param âaddressâ with itâs username and making the POST request.
Then, you can drop the second login POST, as this only checks if the signature of the nonce is correct or not, but itâs issolated from the login flow.
### 2. handle_auth_request
In the 3 step, you can make the login just by sending:
⢠target username
⢠target nonce (from step 1)
⢠public wp nonce
### 3. hidden_form_data
So basically donât check that the user is trying to login in the 3 step is the same user that make the signature in step 2; and anybody can bypass the auth login and pontetially do it as an admin user.
## References
https://wpscan.com/vulnerability/7f30ab20-805b-422c-a9a5-21d39c570ee4
https://vulners.com/cve/CVE-2023-6036
https://www.udemy.com/course/0-day-wordpress/?referralCode=7039562B316447367B85