The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.
1. Add the registration shortcode to a page. 2. Add the tabbed login/register widget on the same page. 3. Visit the page logged out and add this to the end of the URL /?tabbed-login-name="><script>alert(1)</script> This could also be replicated by posting to any page with the widget present, which would not need the registration shortcode to be present on the page.
Stiofan
Stiofan
No
2021-08-09 (about 1 years ago)
2021-07-12 (about 1 years ago)
2022-02-06 (about 6 months ago)