WordPress Authentication Bypass

OWASP 2013-A2 OWASP 2017-A2 OWASP 2021-A7 OWASP PC-C7 CAPEC-115 CWE-287 WASC-01 WSTG-ATHN-04

Usually, all the web applications hosted on a server require authentication to gain access to the private information and to execute tasks. The older versions of WordPress are prone to authentication bypass vulnerability. Under this attack, an attacker can exploit the authentication bypass vulnerability to gain unauthorised access to the server, so that he can bypass the implemented security restrictions. The attacker exploits this vulnerability by changing the requests. This change tricks the application into thinking that the attacker is already authenticated. There are plugins like Userpro that are vulnerable to maliciously crafted HTTP request. Due to this vulnerability, the plugin might cause attacks like an authentication bypass. The attacker will use the vulnerability to gain administrator access to the web application.


The attacker can do the following impacts:-

  • get access to the server, he can execute malicious code.
  • make the web application unstable.

Mitigation / Precaution

Latest Articles