The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the plugin. The WordPress login form (wp-login.php) is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind the scene allowed user-controlled input to be reflected on the login page, unsanitized. To successfully exploit this vulnerability, an attacker needs to trick his victim into visiting a booby-trapped link containing malicious Javascript code. Since Javascript runs in the victim’s browser context, an attacker can adjust the code hidden in that link to do whatever this user’s privileges allow him to. If this attack succeeds against an administrator, the script can completely take over the site.
George Stephanis, Fioravante Souza, Miguel Neto, Benedict Singer and Marc Montpas
Marc Montpas
Yes
2021-03-26 (about 2 years ago)
2021-03-26 (about 2 years ago)
2021-03-28 (about 2 years ago)