Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting (XSS)



Description
Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability was due to the Plugin’s logging functionality using the $_SERVER['REQUEST_URI'] PHP variable to create a URL string that was logged to the database without any input validation. The URL that was saved to the database was later output within HTML without any output encoding.

An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.
Proof of Concept
curl --data "log=admin&pwd=admin&wp-submit=Log+In&redirect_to=&testcookie=1" "http://www.example.com/wp-login.php?a=<script>alert(/XSS/)</script>" 

Affects Plugin

fixed in version 1.4.0

References

CVE 2018-11366
URL https://blog.dewhurstsecurity.com/2018/05/22/loginizer-wordpress-plugin-xss-vulnerability.html
URL https://plugins.trac.wordpress.org/changeset/1878502/loginizer

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Ryan
Submitter Website https://dewhurstsecurity.com/
Views 1473
Verified No
WPVDB ID 9088

Timeline

Publicly Published 2018-05-22 (7 months ago)
Added 2018-05-22 (7 months ago)
Last Updated 2018-05-22 (7 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.