Opened 11 years ago
Closed 11 years ago
#28469 closed defect (bug) (invalid)
Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php) (CVE-2014-2229)
Reported by: | blackswallow | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | ui | Cc: |
Description
However, I found that "wp-login.php" has an open redirection vulnerability. That means WP login plugin is vulnerable.
It is assigned CVE-2014-2229.
WP Login is one the most powerful WordPress login plugin and it is widely used, i.e.
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com%2F [1]
http://rocketsquids.squidoo.com/wp-login.php?redirect_to=http%3A%2F%2Frocketsquids.squidoo.com
https://managewp.com/wp-login.php?redirect_to=https%3A%2F%2Fmanagewp.com%2F3-8-7-worker-update-news
However, I found that "wp-login.php" has an open redirection vulnerability. That means WP login plugin is vulnerable.
The vulnerability exists at "wp-login.php" page with "redirect_to" parameter, e.g.
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.google.com
(1) When a user click the URL ([1]) above, the "WordPress login" page appears. The user needs to enter his/her username and password. When this is done, the user is redirected to a webpage belonging to the website that installs "WP Login" plugin.
However, it seems that "WP Login" allows some other domains, i.e.
google.com.
Now, a user could be redirected from "WP login" to a vulnerable URL in google first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from "WP login" directly.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(2) I will use the following tests to illustrate the scenario I painted above.
The redirected webpage address is "http://www.tetraph.com". It's one of my webpages. We can suppose that this webpage is malicious.
Vulnerable URL:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com%2F
I have made a POC video for illustration. The video is available upon request.
When creating this ticket, was "Do not report potential security vulnerabilities here. See the Security FAQ and contact security@…." not noticeable? Honest question. If you have JavaScript enabled, you additionally would have needed to click a checkbox affirming "I am not reporting a security issue — report security issues to security@…".
I'm dealing with this through proper channels to reflect that the issue is the "WP Login" plugin. That plugin does indeed have a "wp-login.php" file, unrelated to WordPress core's "wp-login.php" file. Your report doesn't make it very clear, but WordPress core is not affected by this. I don't know through what means you requested CVE-2014-2229 but if it is classified as a vulnerability in WordPress, it will be inaccurate.
For future reference, any plugin issues can be emailed to plugins@…. Had security@… been emailed, it would have been forwarded there.