LoginPress <= 1.1.15 - Authenticated Blind SQL Injection



Description
Blind time-based SQL injection, combined with lack of permission check resulted in an unauthorised attack which can be performed by any user on the site (including subscriber profiles).

1. Lack of permission check in settings import

Similar to our recent analysis, this vulnerability was also caused due to lack of permission check on plugin settings import. Allowing any registered user to import custom settings and adjust login page.

An array of functions were registered as AJAX hooks to allow calls from admin-ajax.php?action=loginpress_<functionName>`

The `import` function, which is in charge of handling incoming JSON settings doesn’t have permission check, allowing all users on the site to update plugin settings.

2. SQL Injection in settings import

Blind time-based SQL Injection is located within the same function as the first vulnerability. The LoginPress plugin is checking if the image is already uploaded to a local server.

As you can notice, the query is not using `prepare` statement and directly making a query to the database without sanitising provided image URL.

Since the function is not returning any SQL errors or response, we make use of sleep function in MySQL and compare how long it took the server to respond. Response time can be an indicator whether SQL query case is correct or not.

Affects Plugin

fixed in version 1.1.16

References

URL https://plugins.trac.wordpress.org/changeset/1988326/loginpress

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher WebArx
Submitter WebArx
Views 3398
Verified No
WPVDB ID 9217

Timeline

Publicly Published 2018-11-29 (4 months ago)
Added 2019-02-12 (about 1 month ago)
Last Updated 2019-02-12 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.