CVE-2021-24214 OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error

2021-05-0518:39:42

CWE-79

WPScan

www.cve.org

openid connect

wordpress plugin

xss

vulnerability

cross-site scripting

authentication

EPSS

0.003

Percentile

71.4%

JSON

The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.

CNA Affected

[
  {
    "product": "OpenID Connect Generic Client",
    "vendor": "daggerhart",
    "versions": [
      {
        "lessThan": "3.8.0*",
        "status": "affected",
        "version": "3.8.0",
        "versionType": "custom"
      },
      {
        "lessThan": "3.8.2",
        "status": "affected",
        "version": "3.8.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/31cf0dfb-4025-4898-a5f4-fc7115565a10

EPSS

0.003

Percentile

71.4%

JSON

Related for CVELIST:CVE-2021-24214