LoginPress WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the LoginPress | wp-login Custom Login Page Customizer plugin for WordPress, affecting all versions through 3.3.1. The vulnerability arises from inadequate nonce validation in the 'custom_plugin_set_option' function, allowing unauthenticated attackers to manipulate arbitrary options on a WordPress site. Exploitation requires tricking an administrator into clicking a link, which could, for example, change the default registration role to administrator, enabling unauthorized access. Notably, the 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' for the exploitation to be successful.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in WordPress site settings, including user roles, potentially allowing attackers to gain administrative access.

Reproduction

To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce validation in the 'custom_plugin_set_option' function. This request should be designed to update a specific WordPress option, such as the default role for new users. The attacker must then trick an administrator into clicking a link that sends this forged request, taking advantage of the CSRF vulnerability.

Remediation

Users are advised to update the LoginPress WordPress plugin to version 4.0.0 or later, where this vulnerability has been patched.