Caps Lock False Positive

  • Steven Ray

    (@steveneray)


    5 months ago

    Greeting, @weblizar,

    I am using Admin Custom Login 3.6.2, and since updating from 3.6.1 two weeks ago, whenever I log in, the window reports Caps Lock is engaged when it is not. This same issue occurs on any website running 3.6.2. I see from the changelog that the plugin is tested and working clean with WordPress 6.9; however, that is not accurate.

    I’ve identified the root cause: When your plugin replaces the password field on line 269 of init.php using innerHTML, it corrupts WordPress 6.9’s changed caps lock detection event handlers. This leaves the detection in a broken state, incorrectly reporting Caps Lock as engaged.

    I’ve updated the init.php file to prevent WordPress’s broken caps-lock detection from falsely triggering a display, and to provide accurate detection instead. The fix adds CSS to hide the false warning, uses a MutationObserver to block it from appearing, and implements proper caps lock detection using the getModifierState() API.

    While I was at it, I ran a security and code audit and found several critical vulnerabilities in the plugin. The import function had a file upload vulnerability: it used explode() on the first dot instead of pathinfo() on the last dot, allowing files like “malicious.php.json” to bypass validation. There was also an unsafe unserialize() call with error suppression that could enable object-injection attacks, and a syntax error involving an incomplete ternary operator that broke import functionality entirely. Additionally, error_reporting(0) suppressed all PHP errors in four files, potentially hiding potential security issues. I’ve fixed all the security issues and tested extensively.

    I will directly send the four corrected files, which resolves the issues completely, to your support email. Please apply these fixes ASAP and update to version 3.6.3 to address these critical security vulnerabilities and the caps lock bug.

Viewing 1 replies (of 1 total)
  • Thread Starter Steven Ray

    (@steveneray)

    4 months, 2 weeks ago

    I can’t help but notice that @weblizar doesn’t seem to care about its broken code, as nothing has been done after two weeks of multiple attempts at communication, and yet another error has been found.

    I found the following error as a result of having debug on: Warning: Uninitialized string offset 0 in /home/account/public_html/wp-content/plugins/admin-custom-login/login-form-screen.php on line 68

    This is unrelated to the significant issues reported and fixed initially; however, it has been long-standing in the plugin for some time. Again, I fixed it because my clients don’t appreciate broken plugins.

    Your developers were injecting error_reporting(0) everywhere to hide PHP errors from users, which, if WordPress finds out, could result in the plugin being suspended from the repository as they have done before. I have reported this security-compromised and vulnerable plugin to Patchstack.

    I submitted all the correct files for ease of deployment, along with changelog entries, directly to your support email, AND notified Weblizar support through your contact form. The good result is that this situation has motivated me to create my own login plugin, one that will actually receive support.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.