WordPress Plugin Vulnerabilities

OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error

Description

The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.

Proof of Concept

Affects Plugins

Plugin icon
daggerhart-openid-connect-generic
Fixed in 3.8.2

References

CVE
CVE-2021-24214
URL
https://plugins.trac.wordpress.org/changeset/2502620/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Austin Bentley
Submitter
Austin Bentley
Submitter website
https://bentl.ee
Verified
Yes
WPVDB ID
31cf0dfb-4025-4898-a5f4-fc7115565a10

Timeline

Publicly Published
2021-04-07 (about 4 years ago)
Added
2021-04-07 (about 4 years ago)
Last Updated
2021-04-08 (about 4 years ago)

Other

Published
Title
Published
2024-07-04
Title
HelloAsso < 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-10-24
Title
Traffic Manager <= 1.4.5 - Subscriber+ Stored Cross-Site Scripting
Published
2024-03-25
Title
Aparat for WordPress < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-07-10
Title
Authors List < 2.0.3 - Reflected Cross-Site Scripting
Published
2019-09-16
Title
InJob < 3.3.8 - Reflected & Persistent XSS