A fairly famous WordPress plugin named Loginizer has bugs of Stored XSS and for performing an SQL injection. These were fixed in the recent security patch for Loginizer bugs was pushed forcibly to over one million WordPress sites using this plug-in. The issue here is that Loginizer allows inputs without any authentication, causing errors.
WordPress Plugin Having XSS Bug
WordPress is the wisest community for blogging. Millions of bloggers out there use various plug-ins for serving various functionalities in their site. Among them, Loginizer is a WordPress plugin that helps site owners fight malicious traffic. It protects the site against a brute-force attack by blacklisting IP addresses.
While it’s for a good cause and used by more than a million bloggers, it was reported to have a bug that lets attackers inject malicious code and also has a Stored XSS bug. Regarding the first, Loginizer works on a mechanism that takes the input and lets users pass through their shield if they’re not occurring any suspicious traffic.
But, it’s faulted with no option to check the input values, before letting them access. More specifically, it doesn’t authenticate the input, thereby causing an error response when an improper input is entered. This can cause the attacker to fill something in input and trigger an error response. This eventually leads to perform an SQL injection in the site.
According to WPScan, “The vulnerability was triggered within the brute force protection functionality, which was enabled by default when the plugin was first installed. When a user attempts to log in with an unknown username, the attempt is logged in the backend database, where the username, as well as other parameters, are not properly validated before being placed within the SQL query.”
Further, a report by Wpdeeply reveals that the exploit can take the attacker to the backend database, letting him modify if desired. It read “we see how raw $username reaches the plugin functionality… Also in this function, there are calls towards DB with not sanitized DB parameters… and we see the places that are vulnerable to SQLi based on user login data.”
Besides this, there’s also a Stored XSS vulnerability, which causes the attacker to serve a malicious file that’s injected through SQL injection bug, to everyone. This vector will let him reach all the visitors approaching the infected website.
These bugs are described in Loginizer’s changelog, and it says the plug-in versions before v1.6.4 were affected, thus need to be updated. Patches to these bugs were applied to most of the sites using it, through a force update from WordPress.