AuthMe Velocity is a plugin developed by 4drian3d that extends AuthMeReloaded support for networks that use Velocity as a proxy. However, in one of its latest versions, a critical exploit was discovered that allows the authentication of any user to be forced without knowing their password, putting the security of the servers that use it at risk.
The exploit works by sending a crafted plugin message through the
authmevelocity:main channel.
This is due to the plugin not properly validating the source of the connection,
allowing an attacker to send spoofed messages. In this way, they can force
the authentication of any user without their consent, compromising the
server's security.
To use this exploit, you can use the proxy command in MCPTool and use the /authmevelocityexploit command.
Vulnerable versions of this plugin are 4.1.1 and below.
You can download a server with everything you need to test the exploit locally on your PC from this link.