logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error

Description

The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.

Proof of Concept

https://example.com/wp-login.php?login-error=%3Cscript%3Ealert(0)%3C/script%3E

Affects Plugins

daggerhart-openid-connect-generic

Fixed in version 3.8.2

References

CVE

CVE-2021-24214

URL

https://plugins.trac.wordpress.org/changeset/2502620/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Austin Bentley

Submitter

Austin Bentley

Submitter website

https://bentl.ee

Verified

Yes

WPVDB ID

31cf0dfb-4025-4898-a5f4-fc7115565a10

Timeline

Publicly Published

2021-04-07 (about 7 months ago)

Added

2021-04-07 (about 7 months ago)

Last Updated

2021-04-08 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin