BugTraq
Admin Custom Login WordPress plugin custom login page affected by persistent Cross-Site Scripting Mar 01 2017 06:00AM
Summer of Pwnage (lists securify nl)
------------------------------------------------------------------------

Admin Custom Login WordPress plugin custom login page affected by
persistent Cross-Site Scripting
------------------------------------------------------------------------

Burak Kelebek, July 2016

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

A persistent Cross-Site Scripting vulnerability has been encountered in
the Admin Custom Login WordPress plugin. This issue allows an attacker
to perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. There
is an option in this plugin to add custom style on the login page of
wordpress. If you simply close the </style> tags you are able to put
malicious script which will be executed on the login page.

------------------------------------------------------------------------

OVE ID
------------------------------------------------------------------------

OVE-20160712-0003

------------------------------------------------------------------------

Tested versions
------------------------------------------------------------------------

This issue was succesfully tested on the Admin Custom Login WordPress
plugin version 2.4.5.2.

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

There is currently no fix available.

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://sumofpwn.nl/advisory/2016/admin_custom_login_wordpress_plugin_cu
stom_login_page_affected_by_persistent_cross_site_scripting.html

------------------------------------------------------------------------

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus