|Affected plugin||SiteGround Security|
|Vulnerable version||<= 1.3.0|
|Fully patched version||–|
|Recommended remediation||Removal of the plugin|
The plugin uses HTTP cookies to store secret information temporarily. However,
Proof of concept
In both cases, PHP’s “setcookie” function is called without adjusting the default arguments:
setcookie( string $name, string $value = "", int $expires_or_options = 0, string $path = "", string $domain = "", bool $secure = false, // EDITOR: Allows JS access bool $httponly = false // EDITOR: Allows HTTP ): bool
Furthermore, in both instances, the cookie is available on the entire domain instead of just the /wp-login.php endpoint, which increases the attack surface.
An attacker armed with an XSS vulnerability anywhere on the site can steal a user’s “remember 2FA cookie,” which would allow the attacker to bypass all 2FA checks for the next thirty days.
- Don’t allow security cookies to be sent over HTTP connections by settings $secure = true when calling “setcookie“.
- Limit the cookies’ availability to the wp-login endpoint.
|Vendor contacted||September 07, 2022|
|First Response||September 12, 2022|
|Fully patched at||–|
|Publicly disclosed||April 24, 2023|
Leave a Reply