Introduction
Attackers with only Subscriber-level access to a WordPress site can gain full administrative control if the WPBifröst plugin is present and unpatched. This vulnerability impacts any site using WPBifröst up to version 1.0.7, allowing privilege escalation and complete site takeover through a missing authorization check in an AJAX handler.
WPBifröst – Instant Passwordless Temporary Login Links is a WordPress plugin designed to simplify temporary access management by generating passwordless login links. It is distributed via the official WordPress plugin repository and is used by site administrators seeking to avoid sharing permanent credentials.
Technical Information
The vulnerability exists in the ctl_create_link AJAX action handler of the WPBifröst plugin. In all versions up to and including 1.0.7, this handler does not verify the capability of the requesting user before processing requests to create temporary login links. Specifically, it lacks a call to WordPress's current_user_can() or equivalent capability-checking function.
An authenticated user (Subscriber-level or higher) can send a crafted AJAX POST request to admin-ajax.php with the action parameter set to ctl_create_link. By specifying the Administrator role in the request parameters, the attacker instructs the plugin to generate a temporary login link that will grant administrative access when used. The plugin processes this request without validating whether the user is authorized to create such links, resulting in a privilege escalation from Subscriber to Administrator.
This is a textbook example of CWE-862 (Missing Authorization), where the application fails to check if the user has the required permissions to perform a sensitive action. The flaw is particularly severe on sites with open registration, as attackers can easily register as Subscribers and then escalate their privileges.
No public code snippets are available for the vulnerable handler, but the exploitation method is confirmed by multiple security advisories.
Affected Systems and Versions
- Product: WPBifröst – Instant Passwordless Temporary Login Links (WordPress plugin)
- Affected versions: All versions up to and including 1.0.7
- Vulnerable configuration: Any WordPress site with the plugin installed and activated, regardless of registration settings. Sites with open registration are at higher risk.
Vendor Security History
- No public record of previous vulnerabilities for WPBifröst.
- No information on vendor patch response time or security maturity.