WordPress Plugin Vulnerabilities

LoginPress < 1.5.12 - Reflected Cross-Site Scripting

Description

The plugin does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
loginpress
Fixed in 1.5.12

References

CVE
CVE-2022-0347

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
a5084367-842b-496a-a23c-24dbebac1e8b

Timeline

Publicly Published
2022-02-14 (about 3 years ago)
Added
2022-02-14 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2023-02-20
Title
Exquisite PayPal Donation <= 2.0.0 - Admin+ Stored XSS
Published
2021-09-06
Title
Appointment Hour Booking < 1.3.16 - Admin+ Stored Cross-Site Scripting
Published
2024-03-07
Title
Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Messenger Chat Widget
Published
2025-04-15
Title
Feedify – Web Push Notifications < 2.4.6 - Reflected Cross-Site Scripting
Published
2024-07-10
Title
Calendar.online / Kalender.digital < 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting