Erident Custom Login & Dashboard 3.4-3.4.1 - Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The Erident Custom Login and Dashboard plugin exposes a call to the update_option method, when a specific POST field is posted to the plugins setting screen.

No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to trigger a Stored Cross-Site Scripting attack in the admin dashboard by utilising this unsafe method call.

The vulnerable method call is located on line 312 of erident-custom-login-and-dashboard/er-custom-login.php.
Proof of Concept
<form id="form" method="POST" target="http://localhost/wp-admin/options-general.php?page=erident-custom-login-and-dashboard">
	<input type="hidden" name="er_options_up[dashboard_data_left]" value="Powered by YourWebsiteName<script>alert(1)</script>"/>
</form>
<script>document.getElementById("form").submit();</script>

Affects

Plugin erident-custom-login-and-dashboard
fixed in version 3.5

References

URL https://research.g0blin.co.uk/g0blin-00048/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 139
Verified No
WPVDB ID 8051

Timeline

Publicly Published 2015-06-18 (over 1 year ago)
Added 2015-06-18 (over 1 year ago)
Last Updated 2015-06-18 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.