Lucene search

K
wpvulndbAustin BentleyWPVDB-ID:31CF0DFB-4025-4898-A5F4-FC7115565A10
HistoryApr 07, 2021 - 12:00 a.m.

OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error

2021-04-0700:00:00
Austin Bentley
wpscan.com
14

The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.

PoC

https://example.com/wp-login.php?login-error=<script>alert(0)</script>

Related for WPVDB-ID:31CF0DFB-4025-4898-A5F4-FC7115565A10