AJAX Login Register WordPress Vulnerability [FIXED]

The AJAX Login Register WordPress vulnerability has been fixed. If you haven’t updated, please update to the latest (1.1.0) as soon as possible.

I’ll admit, like most plugin authors, I’m not one to visit the official WordPress support forum for ZM AJAX Login Register often, due to, well the WordPress support forum UI/UX sucks, and honestly isn’t something they plan on fixing anytime soon. Rather customers alert me of product issues via twitter, contact form, direct emails, or phone calls, yes phone calls.

I have to admit that you are on the top 10 most responsible plugin authors I met. Most of them when they get informed about a discovered vulnerability they act like I am the bad guy and they try to cover it up.

So when an email landed in my inbox regarding the ZM AJAX Login Register plugin I thought nothing of it, until I saw the automated security report. In a weird way I was happy, but nervous at the same time. Happy because a security analyst had discovered an issue that I would fix, making ZM AJAX Login Register more secure.

** This does NOT concern the Pro version **

What Was The AJAX Login Register WordPress Vulnerability?

Technically put it is a “local file inclusion vulnerability”, in detail this means;

Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in ‘template’ POST parameter without any further validation.

Okay, so what exactly was my code in question that allowed this?

function foo(){
    check_ajax_referer( $_POST['referer'],'security');
    load_template( plugin_dir_path( dirname( __FILE__ ) ) . "views/" . $_POST['template'] . '.php' );
}

It was nothing more than an AJAX request, with a check_ajax_refer, followed by load_template. At first I thought it was that I hadn’t ran   $_POST['template'] through sanitize_file_name(), which would prevent XSS attacks. That was one issue, but the second was that I was allowing any file that was submitted via $_POST to be loaded.

The fix was two-fold;

1. Use sanitize_file_name – Only allow valid characters to be used as the file name
2. Validate the file being loaded – Check if the file being loaded is in the white list of allowed files, i.e., an actual file on the server.

You can view the GitHub issue here: Security fix for XSS, and local file inclusion vulnerability, #105.

If you are currently using ZM AJAX Login Register version 1.0.9 or older, please update.