Some serious security vulnerabilities existed in the WordPress plugin Limit Login Attempts Reloaded. While the developers fixed the bug, they didn’t explicitly announce it to the users.
Limit Login Attempts Reloaded Plugin Vulnerabilities
Security researcher Veno Eivazian has shared insights about some vulnerabilities in a popular WordPress plugin in his blog post.
Limit Login Attempts Reloaded plugin is popular resource for many WordPress websites as it protects them against brute-force attacks by limiting login attempts. At present, the plugin boasts over 1 million active installations.
Regarding the bugs, one of these included a critical severity vulnerability, CVE-2020-35590, that received a score of 9.8. It existed as the plugin failed to appropriately restrict the number of login attempts by any user. As described in the post,
When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.
Whereas, the second vulnerability, CVE-2020-35589 was a medium severity bug with a score of 5.4. This vulnerability could allow XSS attacks from an authenticated remote attacker.
The researcher has described the proof-of-concept for both exploits in the post.
Patches Deployed Silently
The researcher initially discovered the bugs and reported them to the plugin developers in June 2020. The flaws affected the plugin versions until 2.13.0
While they initially requested a 60-day disclosure period, the researcher couldn’t hear back from the plugin team until December 2020.
However, the researcher, in December, verified that the team has silently deployed the fix with the release of version 2.17.4.
Nonetheless, since then, the plugin team has released numerous updates for the plugin. The latest version, according to the website, is 2.19.2.
Hence, all Limit Login Attempts Reloaded plugin users must make sure to keep their websites running with the latest version.