[admin] [WordPress Security] Update Now! Severe Vulnerability Impacting
[WordPress Security] Update Now! Severe Vulnerability Impacting =
600,000 Sites Patched in Limit Login Attempts
=20
=20
=20
=20
=20
=20
.moz-text-html .hse-column-co=
ntainer{max-width:600px !important;width:600px !important}
.moz-text-html .hse-column{display:table-cell;vertical-align:top}.moz-text-=
html .hse-section .hse-size-3{max-width:150px !important;width:150px !impor=
tant}
.moz-text-html .hse-section .hse-size-12{max-width:600px !important;width:6=
00px !important}
[owa] .hse-column-container{max-width:600px !important;width:600px !importa=
nt}[owa] .hse-column{display:table-cell;vertical-align:top}
[owa] .hse-section .hse-size-3{max-width:150px !important;width:150px !impo=
rtant}
[owa] .hse-section .hse-size-12{max-width:600px !important;width:600px !imp=
ortant}
@media only screen and (min-width:640px){.hse-column-container{max-width:60=
0px !important;width:600px !important}
.hse-column{display:table-cell;vertical-align:top}.hse-section .hse-size-3{=
max-width:150px !important;width:150px !important}
.hse-section .hse-size-12{max-width:600px !important;width:600px !important=
}}@media only screen and (max-width:639px){img.stretch-on-mobile,.hs_rss_em=
ail_entries_table img,.hs-stretch-cta .hs-cta-img{height:auto !important;wi=
dth:100% !important}
.display_block_on_small_screens{display:block}.hs_padded{padding-left:20px =
!important;padding-right:20px !important}
}body[data-outlook-cycle] =
img.stretch-on-mobile,body[data-outlook-cycle] .hs_rss_email_entries_table =
img{height:auto !important;width:100% !important}
body[data-outlook-cycle] .hs_padded{padding-left:20px !important;padding-ri=
ght:20px !important}
a[x-apple-data-detectors]{color:inherit !important;text-decoration:none !im=
portant;font-size:inherit !important;font-family:inherit !important;font-we=
ight:inherit !important;line-height:inherit !important}
#outlook a{padding:0}.yshortcuts a{border-bottom:none !important}a{text-dec=
oration:underline}
.ExternalClass{width:100%}.ExternalClass,.ExternalClass p,.ExternalClass td=
,.ExternalClass div,.ExternalClass span,.ExternalClass font{line-height:100=
%}
p{margin:0}body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;-we=
bkit-font-smoothing:antialiased;moz-osx-font-smoothing:grayscale}
=20
e Wordfence team responsibly disclosed an unauthenticated stored Cross-Site=
Scripting vulnerability in Limit Login Attempts
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
erability Impacting 600,000 Sites Patched in Limit Login Attempts
On January 26, =
2023, the Wordfence team responsibly disclosed an unauthenticated stored Cr=
oss-Site Scripting vulnerability in Limit Login Attempts, a WordPress =
plugin installed on over 600,000 sites that provides site owners with the a=
bility to block IP addresses that have made repeated failed login attempts.=
The plugin is v=
ulnerable in versions up to, and including, 1.7.1. A patch addressing this =
vulnerability was released on April 4, 2023 as version 1.7.2. We recommend =
all site owners update to version 1.7.2 as soon as possible.
All Word=
fence Premium, Wordfence Care, and Wordfence Response =
customers, along with those still using the free version of the plugin, are=
protected by the Wordfence firewall against any exploits targeting this vu=
lnerability.
This email content has also been published on our blog and you’re welcome to post a comment there if you’d like to =
join the conversation. Or you can read the full post in this email.
=20
=20
=20
iption: Lim=
it Login Attempts <=3D 1.7.1 =E2=80=93 Unauthenticated Stored Cross-Site=
Scripting
Affected Plugin: Limit Login Attemp=
ts
Plugin Slug: limit-login-attempts
Af=
fected Versions: <=3D 1.7.1
CVE ID:&nb=
sp;CVE-2023-1912
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NResearcher/s: Marco Wotschka
Fully Patched Version: 1.7.2
The Limit Login=
Attempts plugin offers some simple configuration options. These include a =
maximum number of login retries, lockout duration, lockout expiration times=
as well as some logging and notification options. The vulnerability, assig=
ned CVE-2023-1912, requires a specific configuration: the site connect=
ion option must be set to =E2=80=9CFrom behind a reversy [sic] proxy=E2=80=
=9D and logging of IP addresses on lockout must be enabled.
=
=20
=20
=20
=20
With t=
he reverse proxy detection option enabled, the plugin uses the X-Forwarded-=
For header to determine the visitor=E2=80=99s IP address. While this HTTP h=
eader is spoofable, the plugin does offer its use as an alternative for tho=
se who are behind a load balancer or cache handler. It does not use this se=
tting by default.
With the plugin=
=E2=80=99s logging feature enabled, login blocks are logged and displayed o=
n the configuration page. The following code accomplishes this (slightly ed=
ited for legibility).
=20
=20
=20
=20
As c=
an be seen, this function assembles a table of information but does not esc=
ape the values it uses. While sanitization is recommended as input is recei=
ved, escaping output, even if it is already sanitized, is a far more effect=
ive tool in preventing Cross-Site Scripting. Unfortunately, this plugin was=
not utilizing either sanitization or escaping of the stored IP value that =
could be supplied via the X-Forwarded-For: header.
To exploit this=
vulnerability, an attacker could send a login request with the following X=
-Forwarded-For header set:
X-Forwarded-For: <span =
onmouseover=3Dalert(1)>23.23.23.23</span>
This header can=
be set via many methods, such as through a browser plugin or by intercepti=
ng the login request and adding it manually. Once the plugin=E2=80=99s bloc=
king threshold is met, it will record the above code as the blocked IP and =
execute the malicious JavaScript code when an administrator visits the conf=
iguration page where the list of blocked IP addresses is displayed. This ma=
licious code is executed under the authentication of an administrator and c=
an be utilized to help facilitate a site takeover.
Cross-Site Scri=
pting Vulnerabilities are the result of missing sanitization and unescaped =
display of user input. Most commonly, we see user input that is exploitable=
to Cross-Site Scripting collected via a form. In this vulnerability, the p=
rocessed information is still provided by a user, but collected via a diffe=
rent and more unusual route which is why proper sanitization and escaping m=
ay have been missed.
Timeline
January=
26, 2023 =E2=80=93 We reached out directly to the WordPress =
Plugin Security Team as no contact information was readily available for th=
e developer of the plugin.
March 24, 2023 =E2=80=
=93 The WordPress Plugin Security Team team acknowledges receipt of our rep=
ort.
April 4, 2023 =E2=80=93 Version 1.7.2 address=
es this issue.
Conclusion
In today=E2=80=
=99s post, we covered an unauthenticated Cross-Site Scripting vulnerability=
via the X-Forwarded-For header in the Limit Login Attempts plugin. This ca=
n be leveraged by unauthenticated attackers to facilitate a site takeover b=
y injecting malicious JavaScript into the database of an affected site that=
may execute when a site administrator accesses the logging page.
Again, all =
;=
Wordfence Premium, Wordfence Care, and Wordfence Response customers, along with those still using the free version of the plug=
in, are protected by the Wordfence firewall for any exploits targeting this=
vulnerability.
Special=
Note: We independently discovered this vulnerability in Janu=
ary while reviewing a vulnerability in another plugin. We followed our resp=
onsible disclosure process and reported it to the WordPress Plugin Security=
Team, ensured it got patched, and published it to our vulnerability databa=
se once a patch was released. After adding the vulnerability to our databas=
e, we were made aware of another unnamed security researcher who also disco=
vered this issue and publicly disclosed details about this vulnerability fi=
ve years ago without ensuring the vulnerability got patched, which does not=
follow standard practice. Regardless, we would like to make mention of thi=
s so the other researcher who also found the vulnerability receives credit.=
If you have any=
friends or colleagues who are using this plugin, please share this announc=
ement with them and encourage them to update to the latest version of Limit=
Login Attempts as soon as possible.
If you are =
a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID&nb=
sp;and get your name on the Wordfence Intellig=
ence leaderboard.
=20
=20
=20
=20
=20
=
=20
=20
=20
p:
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
Defiant, Inc., 1700 Westlake Ave N STE 200, Seattle, WA 9=
8109, United States
=20
Unsubscribe
=20
Manage preferences
=20
=20
You’re receiving this email because you signe=
d up to the Wordfence WordPress security mailing list.
=
=20
=20