It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This checks if the request_params array of the core class is not empty, which is only set in another function which is only populated when the payload meets certain conditions (in this scenario, the actions readd_site and add_site are the only actions that do not have an authorization check which is why this issue exists.) Once the payload meets these conditions, the username parameter that is supplied will be used to login the requester as that user without performing any further authentication.
Share this page:
Proof of Concept