Exposure of secrets through insecure HTTP cookies – (SiteGround Security <= 1.3.0)

Affected pluginSiteGround Security
Active installs600,000+
Vulnerable version<= 1.3.0
Audited version1.3.0
Fully patched version1.4.11
Recommended remediationUpdate to version 1.4.11 or higher.


The plugin uses HTTP cookies to store secret information temporarily. However,
by using PHP’s “setcookie” function incorrectly, the plugin allows an attacker to read these cookies with JavaScript (XSS) or steal them over insecure HTTP connections (Man-in-the-middle-attack).

Proof of concept

The plugin uses cookies in two scenarios that an attacker can exploit:

  1. Setting a 2FA login nonce cookie
  2. Setting a “don’t ask for 2FA in thirty days” cookie

In both cases, PHP’s “setcookie” function is called without adjusting the default arguments:

    string $name,
    string $value = "",
    int $expires_or_options = 0,
    string $path = "",
    string $domain = "",
    bool $secure = false, // EDITOR: Allows JS access
    bool $httponly = false // EDITOR: Allows HTTP
): bool

Furthermore, in both instances, the cookie is available on the entire domain instead of just the /wp-login.php endpoint, which increases the attack surface.

An attacker armed with an XSS vulnerability anywhere on the site can steal a user’s “remember 2FA cookie,” which would allow the attacker to bypass all 2FA checks for the next thirty days.

Proposed patch

  1. Disable JavaScript access to the cookie by setting $httponly = true when calling “setcookie”. There is zero reasoning and need for JavaScript to be able to read security-related cookies.
  2. Don’t allow security cookies to be sent over HTTP connections by settings $secure = true when calling “setcookie“.
  3. Limit the cookies’ availability to the wp-login endpoint.


Vendor contactedSeptember 07, 2022
First ResponseSeptember 12, 2022
Fully patched atFebruary 15, 2024
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *