WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is medium.
Protection ByPass
File : /classes/plugin.php
Method : get_address()
Issue : This method will read the variable HTTP_X_FORWARDED_FOR
which is, like its name says, a cross data with the browser (HTTP X (X = Cross)). It’s enough to change the header X-Forwarded-For for each request to always be the first attempt, so the plugin can’t block you. It’s now easy to create an automated brute force on the password if you don’t have a protection like SecuPress.
Stored XSS in admin area #1
File : /blocks/log.php
Line : 69
…<?php echo $user_info['ip']; ?>…
File : /classes/plugin.php
Line : 1396
echo '<p>' . date_i18n( 'd/m/Y H:i:s', $date ) . ' - ' . $user_info['ip']…
Issue : There is no escaping, no sanitization, either on input neither output. It displays what the visitor says what its IP is. Like we said earlier, the value of HTTP_X_FORWARDED_FOR
is a free one from the browser and you can fake it. It’s possible to inject text, script in the admin area, using the preinstalled jQuery on any page.
Stored XSS in admin area #2 & #3
File : /blocks/whitelist.php
Lines 2-3 & 20 :
[pastacode lang=”php” manual=”%24wps_limit_login_white_list_ips%20%3D%20%24this-%3Eget_option(%20’wps_qlimit_login_whitelist’%20)%3B%0A%24wps_limit_login_white_list_ips%20%3D%20(%20is_array(%20%24wps_limit_login_white_list_ips%20)%20%26%26%20!%20empty(%20%24wps_limit_login_white_list_ips%20)%20)%20%3F%20implode(%20%22%5Cn%22%2C%20%24wps_limit_login_white_list_ips%20)%20%3A%20”%3B%0A%0A%E2%80%A6%0A%0A%3C%3Fphp%20echo%20%24wps_limit_login_white_list_ips%3B%20%3F%3E” message=”” highlight=”” provider=”manual”/]
Issue : No sanitization and no control of the input and output.
So it’s possible to do this:
in the textarea</textarea> out of the textarea <input…>
This will be printed out of the textarea, my test and my INPUT field, we can of course do worse.
CSRF
File : /classes/plugin.php
Line : 1450
Issue : There is a lack of nonce token. I can send this link to an admin or include it in a hidden page, this will trigger:
https://example.com/wp-admin/admin-ajax.php?action=wpslimitlogin_rated
Nothing so bad here, but if we base our future devs on that kind of code, it will become a problem. Better handle this now.
These vulnerabilities have been patched in the v1.4.6.1