WordPress Plugin Vulnerabilities

Login with phone number < 1.3.8 - Multiple Admin+ Stored XSS

Description

The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Plugin settings > Style Settings > button border radius (or other field) put to input field: </style><script>alert('XSS');</script><!--

Plugin settings > Text & localizations > Title of login form put to input field: <script>alert('XSS');</script>

Affects Plugins

Plugin icon
login-with-phone-number
Fixed in 1.3.8

References

CVE
CVE-2022-0598

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Michal Lipinski
Submitter
Michal Lipinski
Submitter website
https://beastiecode.com
Verified
Yes
WPVDB ID
4688d39e-ac9b-47f5-a4c1-f9548b63c68c

Timeline

Publicly Published
2022-07-05 (about 1 years ago)
Added
2022-07-05 (about 1 years ago)
Last Updated
2023-04-08 (about 7 months ago)

Other

Published
Title
Published
2023-02-07
Title
Interactive Geo Maps < 1.5.11 - Editor+ Stored XSS
Published
2022-05-09
Title
StaffList < 3.1.7 - Reflected Cross-Site Scripting
Published
2023-10-25
Title
Simple User Listing < 1.9.3 - Reflected XSS
Published
2023-10-16
Title
User Registration < 3.0.4.2 - Admin+ Stored XSS
Published
2015-10-21
Title
WordPress Calls to Action <= 2.4.3 - Reflected Cross-Site Scripting (XSS)