Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting (XSS)

Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability was due to the Plugin’s logging functionality using the $_SERVER[‘REQUEST_URI’] PHP variable to create a URL string that was logged to the database without any input validation. The URL that was saved to the database was later output within HTML without any output encoding. An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.

PoC

curl --data “log=admin&pwd;=admin&wp-submit;=Log+In&redirect;_to=&testcookie;=1” “http://www.example.com/wp-login.php?a=”