Headline
WordPress Login Configurator 2.1 Cross Site Scripting
WordPress Login Configurator plugin version 2.1 and below suffer from a cross site scripting vulnerability.
Tittle:WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site ScriptingReferences:CVE-2023-1893Author:Taurus Omar Description:The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.Affects Plugins:Login Configurator - No known fix - plugin closedProof of Concept:Visit the following path:/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7Related news
CVE-2023-1893
The Login Configurator WordPress plugin through 2.1 does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.