External Login WordPress Plugin Sensitive Data Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the External Login plugin for WordPress, affecting all versions through 1.11.2. The issue arises because the 'exlog_test_connection' AJAX action does not include proper capability checks or nonce validation. This flaw enables authenticated attackers with subscriber-level access and above to query the external database configured in the plugin and access truncated usernames, email addresses, and password hashes through the diagnostic test results view.

Impact

Exploitation of this vulnerability allows authenticated users with subscriber-level access and above to access sensitive information, including truncated usernames, email addresses, and password hashes, from the external database configured in the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'exlog_test_connection' AJAX action. This request will bypass capability checks and nonce validation, allowing the user to retrieve sensitive data from the external database specified in the plugin's settings. The extracted information will include truncated usernames, email addresses, and password hashes, which can be viewed in the diagnostic test results.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.