WordPress Pie Register Plugin Authentication Bypass Vulnerability Allowing Remote Code Execution

An authentication bypass vulnerability has been identified in the WordPress Pie Register plugin, specifically in versions through 3.7.1.4. This vulnerability allows unauthenticated attackers to impersonate any user by sending a crafted POST request to the login endpoint. By including social_site=true and manipulating the user_id_social_site parameter, an attacker can create a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker can exploit the plugin's upload feature to install a malicious plugin containing arbitrary PHP code, leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to impersonate users, including administrators. This could be followed by unauthorized actions on behalf of the impersonated user, such as executing malicious code through a uploaded plugin.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress login endpoint with the user_id_social_site parameter set to the ID of the user to impersonate, including an administrator. Also set social_site=true. This will generate a valid session cookie for the specified user ID. After obtaining the cookie, it can be used to authenticate and access the WordPress admin area. Once authenticated, upload a malicious plugin through the WordPress plugin upload functionality. The uploaded plugin can then be activated, executing the embedded PHP code on the server.