Support » Plugin: Expire Users » Is it possible for a hacker to bypass this plugin?

  • Resolved Rado

    (@jeriksson)


    Hi,

    I have issues with someone that appears to be able to stay logged in even if expire users has set account to expired.

    I personally cannot login but i see in my logs that he is logging in and hitting links that are hidden.

    Is there anyway to bypass this by hitting a fake cookie or something? I see that he is actually logging in via the login page but when i do the same i get a message saying i’m expired, but when he does it he appears to get logged in and redirected to the area i’ve setup for logged in users.

    He appears to be using Chrome as a browser but this could ofcourse be fake, but when i try with chrome i cannot login using his account.

    Ideas how he does this?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Rado

    (@jeriksson)

    Not sure why this plugin isn’t securely logging out users that have been expired but updating the code to wp_clear_auth_cookie(); upon login attempt may fix this, there’s definitely a way to login even if you have an expired account and bypass this plugin, perhaps by posting directly to wp-login.php rather then surfing to wp-login.php page.

    Using latest version of this plugni 1.02 and latest version of wordpress: 4.9.7

    • This reply was modified 10 months ago by  Rado.
    Plugin Author Ben Huson

    (@husobj)

    Hi Rado,

    The plugin does checks on login, but if a user has checked the “remember me” option or their auth cookie has been kept (i.e. not previously logged out properly) then it seems to bypass the checks.

    I have added some code so if a user is logged in, whilst browsing their expiry details will be checked on each page load so they should be logged out immediately if they expire.

    I will release an update but you can test this version if you like.

    Many thanks

    Ben

    Plugin Author Ben Huson

    (@husobj)

    Hopefully resolved in version 1.0.3 ?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is it possible for a hacker to bypass this plugin?’ is closed to new replies.