Plugin is vulnerable to Broken Access Control

following just received an email from word fence

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/login-with-ajax/login-with-ajax-41-missing-authorization

Hello! We’re in the process of investigating this and getting access to the full report for proof of concept.

From what we can see currently, it doesn’t seem to be as severe as the descrption describes. Our plugin doesn’t allow actions to be performed as another user, only access to log in/out, and this report doesn’t indicate this any vulnerability with regards to unauthorized access.

That said, we take security very seriously and we’ll be patching this ASAP, and I’d also ask a Mod to review this thread due to unnecessary public disclosure. We wish we’d have been notified directly first.

According to Patchstack’s Disclosure Policy, they are supposed to contact the software author 30 days before publishing a vulnerability in order to provide time to prepare patches. You may want to contact them to check why they failed to follow their own policy.

I used your solution for years, still working fine in a lot of projects, it’s useful and straightforward, no strings attached.
Jumping in just to say it’s been a relieve reading your reply @msykes ??

Looking forward for your next release.

Any update on this? The nagging security warning and lack of plugin update is concerning, although it’s good to see you responded here right away.

Same Wordfence notification

We’ll be patching this up within days. The delay is partly because the bug itself isn’t severe. The only unauthorized action that can be taken here is dismissing our admin notices, for now we can’t disclose more but aside from this, actually achieving this hack isn’t easy either.

The second reason for the delay is because we’re in the middle of a big update with a nice new feature, so we’re hoping to fold that into the update rather than retro-patch a version. If we still experience delays in the new update, we’ll do just that anyway.

Hope that clarifies, and rest assure that your site is safe, this vulnerability doesn’t allow access to your site other than dismissing our specific notices.

We’ll be patching this up within days

Marcus

It’s been 3 weeks since this was said — any news on an update?

This should be patched up by early next week. Sorry, we’ve had some delays due to the upcoming update.

While I understand this isn’t a critical issue, having these “should be done by X” days come and go so often is not engendering much trust in having a fix become available, forcing some of us to consider alternatives when we’d rather not.

Yes, I understand. we’re literally/hopefully hours away from an update! This is a jam-packed update with some big new features.

Again, we re-iterate though that the vulnerability is minor, the only side-effect is that if someone can intercept your (admin) cookies somehow, and log in as a user on your site, they can disable the admin notice saying ‘welcome to lwa version x!’. That’s it.

Hi Everyone!

Very sorry for the delay, we’ve introduced v4.2 which includes a fix for the update, as well as fully-fledged 2FA among other improvements, we hope you like the new features ??