The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.
[
{
"product": "OpenID Connect Generic Client",
"vendor": "daggerhart",
"versions": [
{
"lessThan": "3.8.0*",
"status": "affected",
"version": "3.8.0",
"versionType": "custom"
},
{
"lessThan": "3.8.2",
"status": "affected",
"version": "3.8.2",
"versionType": "custom"
}
]
}
]