CVE-2023-1912 Exposes Over 600,000 WordPress Sites to Cross-Site Scripting Attacks

CVE-2023-1912

A new, unauthenticated stored Cross-Site Scripting (XSS) vulnerability has been identified in the popular WordPress plugin Limit Login Attempts, which is installed on over 600,000 websites. The plugin, designed to protect site owners from brute-force attacks by limiting login attempts, has been found to contain a security flaw that puts the very sites it protects at risk. CVE-2023-1912, with a CVSS score of 7.2, is a ticking time bomb for site owners who haven’t yet updated their plugin to the latest patched version.

The vulnerability, CVE-2023-1912, affects versions up to and including 1.7.1 of the plugin. It requires a specific configuration in which the site connection option is set to “From behind a reversy [sic] proxy” and logging of IP addresses on lockout is enabled. With these settings, the plugin uses the X-Forwarded-For header to determine the visitor’s IP address, a header that is spoofable but offered as an alternative for users behind a load balancer or cache handler.

CVE-2023-1912

When the plugin’s logging feature is enabled, login blocks are logged and displayed on the configuration page. However, the plugin fails to escape the values it uses, leaving it vulnerable to XSS attacks. Proper sanitization and escaping of the stored IP value that could be supplied via the X-Forwarded-For header is crucial in preventing such attacks, but this plugin has been found to be missing both.

An attacker can exploit this vulnerability by sending a login request with a malicious X-Forwarded-For header, such as:

X-Forwarded-For: <span onmouseover=alert(1)>23.23.23.23</span>

The attacker can use various methods to set this header, like browser plugins or intercepting the login request and adding it manually. Once the plugin’s blocking threshold is met, it records the malicious code as the blocked IP and executes the JavaScript code when an administrator visits the configuration page displaying the list of blocked IP addresses. This code, executed under the administrator’s authentication, can be leveraged for a site takeover.

A patch addressing this vulnerability was released on April 4, 2023, as version 1.7.2 of Limit Login Attempts. Site owners are strongly urged to update to the latest version as soon as possible to prevent attackers from exploiting this vulnerability.