Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting (XSS)



Description
Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability was due to the Plugin’s logging functionality using the $_SERVER['REQUEST_URI'] PHP variable to create a URL string that was logged to the database without any input validation. The URL that was saved to the database was later output within HTML without any output encoding.

An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.
Proof of Concept
curl --data "log=admin&pwd=admin&wp-submit=Log+In&redirect_to=&testcookie=1" "http://www.example.com/wp-login.php?a=<script>alert(/XSS/)</script>" 

Affects Plugin

fixed in version 1.4.0

References

CVE 2018-11366
URL https://blog.dewhurstsecurity.com/2018/05/22/loginizer-wordpress-plugin-xss-vulnerability.html
URL https://plugins.trac.wordpress.org/changeset/1878502/loginizer

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Ryan
Submitter Website https://dewhurstsecurity.com/
Views 5740
Verified No
WPVDB ID 9088

Timeline

Publicly Published 2018-05-22 (over 1 year ago)
Added 2018-05-22 (over 1 year ago)
Last Updated 2019-11-01 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin