Loginizer 1.3.8-1.3.9 – Unauthenticated Stored Cross-Site Scripting (XSS) | CVE 2018-11366

Description

Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability was due to the Plugin’s logging functionality using the $_SERVER['REQUEST_URI'] PHP variable to create a URL string that was logged to the database without any input validation. The URL that was saved to the database was later output within HTML without any output encoding.

An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.

Proof of Concept

curl --data "log=admin&pwd=admin&wp-submit=Log+In&redirect_to=&testcookie=1" "http://www.example.com/wp-login.php?a=<script>alert(/XSS/)</script>"

Affects Plugins

loginizer

Fixed in 1.4.0

References

CVE

CVE-2018-11366

URL

https://plugins.trac.wordpress.org/changeset/1878502/loginizer

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Submitter

Ryan

Verified

WPVDB ID

ea1c0d83-5d48-4ee4-831b-19d323ee2cd3

Timeline

Publicly Published

2018-05-22 (about 7 years ago)

Added

2018-05-22 (about 7 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-08-14

Title

oik < 4.15.3 - Reflected Cross-Site Scripting

Published

2025-04-10

Title

GB Gallery Slideshow <= 1.3 - Reflected Cross-Site Scripting

Published

2018-02-10

Title

Bookly #1 WordPress Booking Plugin (Lite) < 14.5 – Unauthenticated Blind Stored XSS

Published

2017-08-07

Title

Pressforward < 5.2.4 - Reflected Cross-Site Scripting (XSS)

Published

2023-03-22

Title

I Recommend This < 3.9.1 - CSRF