Critical Authentication Flaw — Grants Full WordPress Admin Access

Today I will share my latest finding from a Bug Bounty Program (BBP). It's a critical vulnerability that allows any attacker to gain full WordPress Admin access through the REST API and completely control the site.

Let's dive into it.

The first thing that caught my attention was the signup function. It had a strange and non-standard name — admin-ajax.php — which immediately piqued my interest. So, I signed up as a normal user.

After the account was created, I received a JWT token. This is normal behavior for many applications, so I didn't think much of it at first.

The first thing I did was visit /wp-json/ to explore all the available REST API endpoints. As expected, it required authentication. So, I decided to test the JWT token I received during signup and it worked!!

When I used the JWT token from signup, I was shocked to discover that it had full administrator privileges. This allowed me to:

• Enumerate and extract all users' PII (Personally Identifiable Information)
• Export user data in Excel format
• Delete any user account
• Access and control almost all sensitive WordPress REST API endpoint

I hope you found this interesting. Bye!