CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do

Vulnerability

Last revised: September 15, 2014

This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to convince an admin to visit a link of their choosing is able to insert arbitrary HTML into an admin page. Using that ability they can use JavaScript to control an admin user’s browser, allowing the attacker to create user accounts, create posts, delete all posts, etc.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	6.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	Partial

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form, a javascript alert will display in the admin screens. (In a real attack the form can be made to auto-submit using Javascript).

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=login_widget_afo">
  <input type="text" name="custom_style_afo" value="&lt;/textarea>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="option" value="login_widget_afo_save_settings">
  <input type="submit">
</form>

Advisory timeline

2014-08-26: Discovered
2014-09-15: Reported to vendor by email
2014-09-15: Vendor reported the issue fixed and a new version released
2014-09-17: Published

Mitigation/further actions

Upgrade to version 3.2.1 or later.

dxw advisories

Advisory: