Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2023-6036 PoC — Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass

Source
https://github.com/pctripsesp/CVE-2023-6036
Associated Vulnerability
Title:Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass (CVE-2023-6036)
Description:The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Description
POC about Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass Wordpress plugin
Readme
# CVE-2023-6036
POC about Wordpress plugin _Web3 – Crypto wallet Login &amp; NFT token gating &lt; 3.0.0 - Authentication Bypass_


This vulnerability is about authentication bypass due incorrect authentication checking in the ‘handle_login_request’ function and ‘handle_auth_request' function



## Vulnerability

I have divided login flow in 3 steps, that are actually 3 different POST when login through our web3 wallet.

### 1. handle_login_request
![](img/1.png)

![](img/2.png)

With this POST request, anybody can retrieve an existing user nonce, so you can get admin user’s nonce just by knowing his username or wallet, replacing param “address” with it’s username and making the POST request.

Then, you can drop the second login POST, as this only checks if the signature of the nonce is correct or not, but it’s issolated from the login flow.


### 2. handle_auth_request
![](img/3.png)

![](img/4.png)

In the 3 step, you can make the login just by sending:

• target username

• target nonce (from step 1)

• public wp nonce


### 3. hidden_form_data

![](img/5.png)

![](img/6.png)

So basically don’t check that the user is trying to login in the 3 step is the same user that make the signature in step 2; and anybody can bypass the auth login and pontetially do it as an admin user.


## References

https://wpscan.com/vulnerability/7f30ab20-805b-422c-a9a5-21d39c570ee4

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6036

https://www.udemy.com/course/0-day-wordpress/?referralCode=7039562B316447367B85
File Snapshot

 [4.0K]  /data/pocs/ddd67221b53dac34b1ca78065cba178ae354f97f
├── [2.0K]  CVE-2023-6036.py
├── [4.0K]  img
│   ├── [194K]  1.png
│   ├── [ 96K]  2.png
│   ├── [ 91K]  3.png
│   ├── [361K]  4.png
│   ├── [151K]  5.png
│   └── [574K]  6.png
├── [ 756]  nuclei_template.yaml
└── [1.5K]  README.md

1 directory, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →