WordPress Login with NEAR Plugin Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the WordPress Login with NEAR plugin, affecting all versions through 0.3.3. The issue arises in the 'ajaxLoginWithNear()' function, which is accessible to unauthenticated users. This function accepts an 'account' POST parameter and grants a valid WordPress authentication cookie based on a simple substring check for '.near'. The vulnerability exists without any nonce verification, cryptographic signature validation, or proof of control over the corresponding NEAR wallet. As a result, unauthenticated attackers can log in as any WordPress user, including administrators, whose email matches the pattern '<account>@near.org'. If no such user exists, a new account is created automatically, allowing further unauthorized access.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to log in as any WordPress user, including administrators, or to create new accounts with administrative privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the 'wp_ajax_nopriv_loginWithNearLogin' endpoint with an 'account' parameter that includes a substring matching the '.near' domain. The absence of a corresponding user will result in the creation of a new account.