WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error

Description

The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.

Proof of Concept

https://example.com/wp-login.php?login-error=%3Cscript%3Ealert(0)%3C/script%3E

Affects Plugins

daggerhart-openid-connect-generic
Fixed in version 3.8.2

References

CVE
CVE-2021-24214
URL
https://plugins.trac.wordpress.org/changeset/2502620/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Austin Bentley

Submitter

Austin Bentley

Submitter website
https://bentl.ee
Verified

Yes

WPVDB ID
31cf0dfb-4025-4898-a5f4-fc7115565a10

Timeline

Publicly Published

2021-04-07 (about 1 years ago)

Added

2021-04-07 (about 1 years ago)

Last Updated

2021-04-08 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin