Lucene search
Niraj MahajanWPVDB-ID:E9E4DFBE-01B2-4003-80ED-DB1E45F38B2BHistoryJun 06, 2022 - 12:00 a.m.
Login using WordPress Users < 1.13.4 - Admin+ Stored Cross-Site Scripting
2022-06-0600:00:00
Niraj Mahajan
wpscan.com
11
0.001 Low
EPSS
Percentile
25.0%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PoC
Put the following payload in the “IDP Metadata” > “IdP EntityID / Issuer” setting: ">
| CPE | Name | Operator | Version |
|---|---|---|---|
| miniorange-wp-as-saml-idp | lt | 1.13.4 |
Related
cve
cve
CVE-2022-1010
2022-06-27 09:15:08
wpexploit
wpexploit
Login using WordPress Users < 1.13.4 - Admin+ Stored Cross-Site Scripting
2022-06-06 00:00:00
nvd
nvd
CVE-2022-1010
2022-06-27 09:15:08
cvelist
cvelist
cnvd
cnvd
WordPress Login using WordPress Users plugin跨站脚本漏洞
2022-06-30 00:00:00
prion
prion
Cross site scripting
2022-06-27 09:15:00