November 27, 2018 by Luka Šikić
After our recent analysis, we started auditing different popular modules used by our customers. A LoginPress plugin for WordPress CMS gained our attention and we decided to look into it more deeply. Following issues were discovered.
LoginPress plugin is a WordPress CMS plugin that allows customisation of WordPress login page. According to plugin developers:
“You can modify the look and feel of login page completely even the login error messages, forgot error messages, registration error messages, forget password hint message and many more”.
At the time of writing this advisory, the plugin is available on the WordPress plugin repository and counting over 40,000 active installs.
Blind time-based SQL injection, combined with lack of permission check resulted in an unauthorised attack which can be performed by any user on the site (including
Similar to our recent analysis, this vulnerability was also caused due to lack of permission check on plugin settings import. Allowing any registered user to import custom settings and adjust the login page.
An array of functions were registered as ajax hooks to allow calls from
The `import` function, which is in charge of handling incoming JSON settings doesn’t have permission check, allowing all users on the site to update plugin settings.
Blind time-based SQL Injection is located within the same function as the first vulnerability. The LoginPress plugin is checking if the image is already uploaded to a local server.
As you can notice, the query is not using `prepare` statement and directly making a query to the database without sanitising provided image URL.
Since the function is not returning any SQL errors or response, we make use of sleep function in MySQL and compare how long it took the server to respond. Response time can be an indicator of whether SQL query case is correct or not.
Discovered vulnerabilities are patched in version 1.1.14 which got released on 21st of November, 2018. We are actively monitoring all possible enumerations and exploitation campaigns connected to this plugin vulnerability. We strongly advise updating LoginPress plugin to the latest version as soon as possible.
If you are a plugin developer, make sure you are not exposing ajax hooks that don’t have permission check or nonce. SQL queries that accepts user’s input should always be sanitized. A good starting point is provided by WordPress.org where you can find plugin security references.