As part of a vulnerability research project for our WordPress Security Scanner at WPcans.com, we have been auditing popular WordPress plugins looking for security issues.

While auditing the WordPress plugin Loginizer, we discovered a SQL Injection vulnerability and a Cross-Site Request Forgery (CSRF).

This plugin is currently installed on 500,000+ websites.

About the plugin

According to WordPress.org:

Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve security of your website.

Are You at Risk?

This vulnerability is caused by the lack of sanitization in user provided data and missing checks. As soon as possible upgrade to the latest version of the plugin: 1.3.6.

You can also use our free security scanner at WPScans.com to scan for this vulnerability or the open-source tool wpscan.

Technical Details CSRF

First, the CSRF vulnerability can be triggered when a admin or a user with manage_option privileges clicks a link provided by an attacker. The link can be hidden with a URL-shortener for example, screenshots from the broken referer/nonce check:

Screenshot CSRF

As the above screenshot shows the check_admin_referer() function is only executed if $_POST is set. But deleting a whitelist or blacklist IP does not require POST, only GET:

Screenshot CSRF

Technical Details SQL Injection

When someone tries to login at least one SQL-query is executed by the plugin. The query looks something like this:

SELECT * FROM `wp_loginizer_logs` WHERE `ip` = 'myip...

The problem above is that an attacker can set IP using different http-headers such as X-Forwarded-For depending on the server setup. This http-header is forwarded without any sanitization to lz_selectquery() and then $wpdb->get_results().

This is a blind SQL injection vulnerability and can be exploited using sqlmap, as example:

SQLmap

Timeline

  • 2017-08-02 Vulnerabilities found
  • 2017-08-04 Plugin vendor contacted using online form
  • 2017-08-07 Fixed by vendor: WordPress.org changelog
  • 2017-08-07 CVE ID requested
  • 2017-08-08 Blog post published

CVE ID:s assigned from Mitre:

  • CVE-2017-12650
  • CVE-2017-12651

Vulnerabilities found by Jonas Lejon.

Leave a Reply

Your email address will not be published. Required fields are marked *