LoginPress <= 1.1.15 - Authenticated Blind SQL Injection

Description

Blind time-based SQL injection, combined with lack of permission check resulted in an unauthorised attack which can be performed by any user on the site (including subscriber profiles).

1. Lack of permission check in settings import

Similar to our recent analysis, this vulnerability was also caused due to lack of permission check on plugin settings import. Allowing any registered user to import custom settings and adjust login page.

An array of functions were registered as AJAX hooks to allow calls from admin-ajax.php?action=loginpress_<functionName>`

The `import` function, which is in charge of handling incoming JSON settings doesn’t have permission check, allowing all users on the site to update plugin settings.

2. SQL Injection in settings import

Blind time-based SQL Injection is located within the same function as the first vulnerability. The LoginPress plugin is checking if the image is already uploaded to a local server.

As you can notice, the query is not using `prepare` statement and directly making a query to the database without sanitising provided image URL.

Since the function is not returning any SQL errors or response, we make use of sleep function in MySQL and compare how long it took the server to respond. Response time can be an indicator whether SQL query case is correct or not.