WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#28469 closed defect (bug) (invalid)

Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php) (CVE-2014-2229)

Reported by: blackswallow Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: ui Cc:

Description

However, I found that "wp-login.php" has an open redirection vulnerability. That means WP login plugin is vulnerable.

It is assigned CVE-2014-2229.

WP Login is one the most powerful WordPress login plugin and it is widely used, i.e.

http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com%2F [1]
http://rocketsquids.squidoo.com/wp-login.php?redirect_to=http%3A%2F%2Frocketsquids.squidoo.com
https://managewp.com/wp-login.php?redirect_to=https%3A%2F%2Fmanagewp.com%2F3-8-7-worker-update-news

However, I found that "wp-login.php" has an open redirection vulnerability. That means WP login plugin is vulnerable.

The vulnerability exists at "wp-login.php" page with "redirect_to" parameter, e.g.
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.google.com

(1) When a user click the URL ([1]) above, the "WordPress login" page appears. The user needs to enter his/her username and password. When this is done, the user is redirected to a webpage belonging to the website that installs "WP Login" plugin.

However, it seems that "WP Login" allows some other domains, i.e.
google.com.

Now, a user could be redirected from "WP login" to a vulnerable URL in google first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from "WP login" directly.

My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

(2) I will use the following tests to illustrate the scenario I painted above.

The redirected webpage address is "http://www.tetraph.com". It's one of my webpages. We can suppose that this webpage is malicious.

Vulnerable URL:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com%2F

POC:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fgoogle.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CCoQFjAA%26url%3Dhttp%253A%252F%252Fwww.tetraph.com%252F%26ei%3DFSMgU-bSCOewiQfu5IDoAg%26usg%3DAFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg%26sig2%3D_ALzlmyIx3EfHwaNUBBI_Q

I have made a POC video for illustration. The video is available upon request.

Change History (1)

#1 @nacin
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

When creating this ticket, was "Do not report potential security vulnerabilities here. See the Security FAQ and contact security@…." not noticeable? Honest question. If you have JavaScript enabled, you additionally would have needed to click a checkbox affirming "I am not reporting a security issue — report security issues to security@…".

I'm dealing with this through proper channels to reflect that the issue is the "WP Login" plugin. That plugin does indeed have a "wp-login.php" file, unrelated to WordPress core's "wp-login.php" file. Your report doesn't make it very clear, but WordPress core is not affected by this. I don't know through what means you requested CVE-2014-2229 but if it is classified as a vulnerability in WordPress, it will be inaccurate.

For future reference, any plugin issues can be emailed to plugins@…. Had security@… been emailed, it would have been forwarded there.

Note: See TracTickets for help on using tickets.