SQL Injection and CSRF Security Vulnerability in Loginizer

As part of a vulnerability research project for our WordPress Security Scanner at WPcans.com, we have been auditing popular WordPress plugins looking for security issues.

While auditing the WordPress plugin Loginizer, we discovered a SQL Injection vulnerability and a Cross-Site Request Forgery (CSRF).

This plugin is currently installed on 500,000+ websites.

About the plugin

According to WordPress.org:

Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve security of your website.

Are You at Risk?

This vulnerability is caused by the lack of sanitization in user provided data and missing checks. As soon as possible upgrade to the latest version of the plugin: 1.3.6.

You can also use our free security scanner at WPScans.com to scan for this vulnerability or the open-source tool wpscan.

Technical Details CSRF

First, the CSRF vulnerability can be triggered when a admin or a user with manage_option privileges clicks a link provided by an attacker. The link can be hidden with a URL-shortener for example, screenshots from the broken referer/nonce check:

Screenshot CSRF

As the above screenshot shows the check_admin_referer() function is only executed if $_POST is set. But deleting a whitelist or blacklist IP does not require POST, only GET:

Screenshot CSRF

Technical Details SQL Injection

When someone tries to login at least one SQL-query is executed by the plugin. The query looks something like this:

SELECT * FROM `wp_loginizer_logs` WHERE `ip` = 'myip...

The problem above is that an attacker can set IP using different http-headers such as X-Forwarded-For depending on the server setup. This http-header is forwarded without any sanitization to lz_selectquery() and then $wpdb->get_results().

This is a blind SQL injection vulnerability and can be exploited using sqlmap, as example:

SQLmap

Timeline

  • 2017-08-02 Vulnerabilities found
  • 2017-08-04 Plugin vendor contacted using online form
  • 2017-08-07 Fixed by vendor: WordPress.org changelog
  • 2017-08-07 CVE ID requested
  • 2017-08-08 Blog post published

CVE ID:s assigned from Mitre:

  • CVE-2017-12650
  • CVE-2017-12651

Vulnerabilities found by Jonas Lejon.

15 thoughts on “SQL Injection and CSRF Security Vulnerability in Loginizer”

  1. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users – WordPress Tavern

  2. Pingback: Loginizer Plugin Will get Compelled Safety Replace for Vulnerabilities Affecting 1 Million Customers - #NewsEverything #WordPress | WordPress Blog

  3. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users - WP Epitome

  4. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users - TechNonStop

  5. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users | WordPress | WooCommerce | Web Site | fabbrica42

  6. Pingback: Le plugin Loginizer obtient une mise à jour de sécurité forcée pour les vulnérabilités affectant 1 million d'utilisateurs - WordPress Tavern | Script-News

  7. Pingback: Loginizer插件针对影响100万用户的漏洞获取强制性安全更新 - WP建站

  8. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users

  9. Pingback: CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites – TerabitWeb Blog

  10. Pingback: The Loginizer plugin gets a forced security update for vulnerabilities affecting 1 million users – WordPress Tavern – blogger dz

  11. Pingback: البرنامج المساعد لوجينيزر يحصل على تحديث أمني إجباري لنقاط الضعف التي تؤثر على مليون مستخدم – WordPress Tavern – blogger dz – بولجر ديزاد

  12. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users – Clevity

  13. Pingback: Loginizer Plugin Gets Forced Security Update for Vulnerabilities Affecting 1 Million Users - wordpress-450839-1562426.cloudwaysapps.com

  14. Pingback: CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites – Unified Networking

  15. Pingback: WordPress Vulnerabilities: Top 4 Security Threats in 2021- WPSec

Leave a Comment

Your email address will not be published. Required fields are marked *