The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.
https://example.com/wp-login.php?login-error=<script>alert(0)</script>
CPE | Name | Operator | Version |
---|---|---|---|
daggerhart-openid-connect-generic | lt | 3.8.2 |