Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:96370
HistoryAug 22, 2017 - 12:00 a.m.

SQL Injection(CVE-2017-12650) and CSRF(CVE-2017-12651) Security Vulnerability in Loginizer

2017-08-2200:00:00
Root
www.seebug.org
39

EPSS

0.002

Percentile

55.2%

JSON

As part of a vulnerability research project for our WordPress Security Scanner at WPcans.com, we have been auditing popular WordPress plugins looking for security issues.

While auditing the WordPress plugin Loginizer, we discovered a SQL Injection vulnerability and a Cross-Site Request Forgery (CSRF).

This plugin is currently installed on 500,000+ websites.

About the plugin

According to WordPress.org:

Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve security of your website.

Are You at Risk?

This vulnerability is caused by the lack of sanitization in user provided data and missing checks. As soon as possible upgrade to the latest version of the plugin: 1.3.6.

You can also use our free security scanner at WPScans.com to scan for this vulnerability or the open-source tool wpscan.

Technical Details CSRF

First, the CSRF vulnerability can be triggered when a admin or a user with manage_option privileges clicks a link provided by an attacker. The link can be hidden with a URL-shortener for example, screenshots from the broken referer/nonce check:

As the above screenshot shows the check_admin_referer() function is only executed if $_POST is set. But deleting a whitelist or blacklist IP does not require POST, only GET:

Technical Details SQL Injection

When someone tries to login at least one SQL-query is executed by the plugin. The query looks something like this:

SELECT * FROM `wp_loginizer_logs` WHERE `ip` = 'myip...

The problem above is that an attacker can set IP using different http-headers such as X-Forwarded-For depending on the server setup. This http-header is forwarded without any sanitization to lz_selectquery() and then $wpdb->get_results().

This is a blind SQL injection vulnerability and can be exploited using sqlmap, as example:

###b Timeline

  • 2017-08-02 Vulnerabilities found
  • 2017-08-04 Plugin vendor contacted using online form
  • 2017-08-07 Fixed by vendor: WordPress.org changelog
  • 2017-08-07 CVE ID requested
  • 2017-08-08 Blog post published

Related

openvas 1
patchstack 2
nvd 2
wpvulndb 2
cvelist 2
cve 2
prion 2
openvas
openvas
WordPress Loginizer Plugin <= 1.3.5 Multiple Vulnerabilities
2017-08-08 00:00:00
patchstack
patchstack
WordPress Loginizer plugin <=1.3.5 - Cross-Site Request Forgery (CSRF) vulnerability
2017-08-08 00:00:00
WordPress Loginizer plugin <=1.3.5 - Blind SQL Injection vulnerability
2017-08-08 00:00:00
nvd
nvd
CVE-2017-12651
2017-08-07 17:29:00
CVE-2017-12650
2017-08-07 17:29:00
wpvulndb
wpvulndb
Loginizer <= 1.3.5 - Cross-Site Request Forgery (CSRF)
2017-08-08 00:00:00
Loginizer <= 1.3.5 - Blind SQL Injection
2017-08-08 00:00:00
cvelist
cvelist
CVE-2017-12651
2017-08-07 17:00:00
CVE-2017-12650
2017-08-07 17:00:00
cve
cve
CVE-2017-12651
2017-08-07 17:29:00
CVE-2017-12650
2017-08-07 17:29:00
prion
prion
Sql injection
2017-08-07 17:29:00
Cross site request forgery (csrf)
2017-08-07 17:29:00

EPSS

0.002

Percentile

55.2%

JSON
Related for SSV:96370
openvas1patchstack2nvd2wpvulndb2cvelist2cve2prion2