Multiple Critical Vulnerabilities in LoginPress WordPress Plugin

After our recent analysis, we started auditing different popular modules used by our customers. A LoginPress plugin for WordPress CMS gained our attention and we decided to look into it more deeply. Following issues were discovered.

Software Overview

LoginPress plugin is a WordPress CMS plugin that allows customisation of WordPress login page. According to plugin developers:

“You can modify the look and feel of login page completely even the login error messages, forgot error messages, registration error messages, forget password hint message and many more”.

At the time of writing this advisory, the plugin is available on the WordPress plugin repository and counting over 40,000 active installs.

LoginPress Plugin Vulnerability Description

Blind time-based SQL injection, combined with lack of permission check resulted in an unauthorised attack which can be performed by any user on the site (including subscriber profiles).

1. Lack of permission check in settings import

Similar to our recent analysis, this vulnerability was also caused due to lack of permission check on plugin settings import. Allowing any registered user to import custom settings and adjust the login page.

An array of functions were registered as ajax hooks to allow calls from admin-ajax.php?action=loginpress_<functionName>`

The `import` function, which is in charge of handling incoming JSON settings doesn’t have permission check, allowing all users on the site to update plugin settings.

2. SQL Injection in settings import

Blind time-based SQL Injection is located within the same function as the first vulnerability. The LoginPress plugin is checking if the image is already uploaded to a local server.

As you can notice, the query is not using `prepare` statement and directly making a query to the database without sanitising provided image URL.

Since the function is not returning any SQL errors or response, we make use of sleep function in MySQL and compare how long it took the server to respond. Response time can be an indicator of whether SQL query case is correct or not.

Conclusion

Developers of LoginPress were very responsive when we reached to them and they patched the discovered vulnerabilities in version 1.1.14 which got released on 21st of November, 2018.

We are actively monitoring all possible enumerations and exploitation campaigns connected to this plugin vulnerability. We strongly advise updating LoginPress plugin to the latest version as soon as possible.

Due to the nature of this vulnerability, WebARX firewall is already preventing mentioned vulnerabilities. If you need website protection, feel free to signup.

For Developers

If you are a plugin developer, make sure you are not exposing ajax hooks that don’t have permission check or nonce. SQL queries that accepts user’s input should always be sanitized. A good starting point is provided by WordPress.org where you can find plugin security references.