WordPress Form Notify Plugin Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in the Form Notify plugin for WordPress, affecting versions through 1.1.10. The issue arises because the plugin relies on user-controlled cookie data to authenticate users after a LINE OAuth login. When LINE does not provide an email address, the plugin defaults to the 'form_notify_line_email' cookie value, without verifying if the LINE account is linked to that email. This flaw enables unauthenticated attackers to access any user account on the site, including admin accounts, by completing a LINE OAuth flow with their own account and injecting a cookie with the target victim's email.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass authentication and gain access to any WordPress user account, including those with administrative privileges.

Reproduction

To reproduce this vulnerability, log into a WordPress site with the Form Notify plugin installed and a version prior to 1.1.11. Initiate the LINE OAuth login process. If LINE does not provide an email, the plugin will use the 'form_notify_line_email' cookie to determine the user account. By injecting a cookie with the email of a target user, an attacker can gain access to that account after completing the LINE login.

Remediation

Users are advised to update the Form Notify plugin to version 1.1.11, which addresses the authentication bypass issue by changing the login process to use LINE user identifiers instead of email addresses.