WordPress Plugin Vulnerabilities

Admin Custom Login < 3.2.8 - CSRF to Stored XSS

Description

The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7.

Proof of Concept

Affects Plugins

Plugin icon
admin-custom-login
Fixed in 3.2.8

References

CVE
CVE-2021-34628
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34628

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ryoma Nishioka
Submitter
Wordfence
Submitter website
https://wordfence.com
Verified
Yes
WPVDB ID
7720b38f-8862-4897-8e05-8e5964f0415f

Timeline

Publicly Published
2021-07-28 (about 4 years ago)
Added
2021-07-28 (about 4 years ago)
Last Updated
2022-02-24 (about 4 years ago)

Other

Published
Title
Published
2025-04-09
Title
Flags Widget <= 1.0.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-11-28
Title
Advanced What should we write next about <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2015-05-05
Title
WP Ultimate CSV Importer < 3.7.3 - Various CSRF
Published
2024-12-11
Title
WP Currency Exchange Rates < 1.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-05-13
Title
Extend Themes <= (Multiple Versions) - Cross-Site Request Forgery