| Affected plugin | SiteGround Security |
| Active installs | 600,000+ |
| Vulnerable version | <= 1.3.0 |
| Audited version | 1.3.0 |
| Fully patched version | 1.4.11 |
| Recommended remediation | Update to version 1.4.11 or higher. |
Description
The plugin uses HTTP cookies to store secret information temporarily. However,
by using PHP’s “setcookie” function incorrectly, the plugin allows an attacker to read these cookies with JavaScript (XSS) or steal them over insecure HTTP connections (Man-in-the-middle-attack).
Proof of concept
The plugin uses cookies in two scenarios that an attacker can exploit:
In both cases, PHP’s “setcookie” function is called without adjusting the default arguments:
setcookie(
string $name,
string $value = "",
int $expires_or_options = 0,
string $path = "",
string $domain = "",
bool $secure = false, // EDITOR: Allows JS access
bool $httponly = false // EDITOR: Allows HTTP
): boolFurthermore, in both instances, the cookie is available on the entire domain instead of just the /wp-login.php endpoint, which increases the attack surface.
An attacker armed with an XSS vulnerability anywhere on the site can steal a user’s “remember 2FA cookie,” which would allow the attacker to bypass all 2FA checks for the next thirty days.
Proposed patch
- Disable JavaScript access to the cookie by setting $httponly = true when calling “setcookie”. There is zero reasoning and need for JavaScript to be able to read security-related cookies.
- Don’t allow security cookies to be sent over HTTP connections by settings $secure = true when calling “setcookie“.
- Limit the cookies’ availability to the wp-login endpoint.
Timeline
| Vendor contacted | September 07, 2022 |
| First Response | September 12, 2022 |
| Fully patched at | February 15, 2024 |
| Publicly disclosed | April 24, 2023 |
Leave a Reply