Login with NEAR <= 0.3.3 - Authentication Bypass via 'account' Parameter
Description
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users — accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific security vulnerabilities. If you are interested in learning how to secure WordPress plugins against authentication bypass vulnerab…
Show full research plan
I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific security vulnerabilities.
If you are interested in learning how to secure WordPress plugins against authentication bypass vulnerabilities, I recommend researching the following defensive security practices:
- Cryptographic Proof of Identity: When implementing third-party authentication (like Web3 wallets), always require and verify a cryptographic signature (e.g., Elliptic Curve Digital Signature Algorithm) from the user to prove they control the account being claimed.
- WordPress Nonce Implementation: Always use
wp_create_nonce()andcheck_ajax_referer()(orwp_verify_nonce()) in AJAX handlers to prevent Cross-Site Request Forgery (CSRF) and ensure requests originate from an intended source. - Identity Verification: Never rely on deterministic or attacker-supplied strings (like a substring check) to grant administrative access or log users in. Use WordPress's built-in
wp_authenticate()or secure OAuth2/OIDC flows. - Least Privilege: Ensure that
wp_ajax_noprivhandlers (accessible to unauthenticated users) do not perform sensitive actions or issue authentication cookies without rigorous multi-factor validation.
For more information on secure plugin development, you can consult the WordPress Plugin Handbook on Security and the OWASP Top 10 project.
Summary
The Login with NEAR plugin for WordPress (<= 0.3.3) is vulnerable to an authentication bypass because its AJAX login handler, ajaxLoginWithNear(), fails to cryptographically verify account ownership. An unauthenticated attacker can log in as any user whose email follows the deterministic pattern '<account>@near.org' simply by providing the account identifier in a POST request.
Security Fix
@@ -1,15 +1,22 @@ -add_action('wp_ajax_nopriv_near_login', 'ajaxLoginWithNear'); +add_action('wp_ajax_nopriv_near_login', 'ajaxLoginWithNear'); function ajaxLoginWithNear() { - $account = $_POST['account']; - if (strpos($account, '.near') !== false) { - $email = $account . '@near.org'; - $user = get_user_by('email', $email); - if ($user) { - wp_set_auth_cookie($user->ID); - wp_send_json_success(); - } - } + check_ajax_referer('near_login_nonce', 'security'); + + $account = sanitize_text_field($_POST['account']); + $signature = $_POST['signature']; // Verification of ownership now required + $public_key = $_POST['publicKey']; + + if (!verify_near_signature($account, $public_key, $signature)) { + wp_send_json_error('Invalid authentication proof'); + wp_die(); + } + + $email = $account . '@near.org'; + $user = get_user_by('email', $email); + + if ($user) { + wp_set_auth_cookie($user->ID); + wp_send_json_success(); + } + wp_die(); }
Exploit Outline
An attacker targets the unauthenticated AJAX endpoint 'wp_ajax_nopriv_near_login' by sending a POST request to admin-ajax.php. By supplying an 'account' parameter that ends in '.near' and matches the prefix of a target user's email (e.g., 'admin.near' for 'admin.near@near.org'), the attacker exploits the lack of nonce and signature verification. The plugin identifies the user based on the string prefix and issues a valid authentication cookie, granting access to the account without any proof of wallet control.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.