WordPress Plugin Vulnerabilities
OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error
Description
The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.
Proof of Concept
https://example.com/wp-login.php?login-error=%3Cscript%3Ealert(0)%3C/script%3E
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Austin Bentley
Submitter
Austin Bentley
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-07 (about 3 years ago)
Added
2021-04-07 (about 3 years ago)
Last Updated
2021-04-08 (about 3 years ago)