Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting (XSS)

Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability was due to the Plugin’s logging functionality using the $_SERVER['REQUEST_URI'] PHP variable to create a URL string that was logged to the database without any input validation. The URL that was saved to the database was later output within HTML without any output encoding.

An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.
Proof of Concept
curl --data "log=admin&pwd=admin&wp-submit=Log+In&redirect_to=&testcookie=1" "http://www.example.com/wp-login.php?a=<script>alert(/XSS/)</script>" 

Affects Plugin

fixed in version 1.4.0


CVE 2018-11366
URL https://blog.dewhurstsecurity.com/2018/05/22/loginizer-wordpress-plugin-xss-vulnerability.html
URL https://plugins.trac.wordpress.org/changeset/1878502/loginizer


Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)


Submitter Ryan
Submitter Website https://dewhurstsecurity.com/
Views 4042
Verified No


Publicly Published 2018-05-22 (about 1 year ago)
Added 2018-05-22 (about 1 year ago)
Last Updated 2018-05-22 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.