Cerber Limit Login Attempts <= 2.0.1.6 - Unauthenticated Stored XSS

Sign up to our free email alerts service for instant vulnerability notifications!

Description
If the option "I'm behind a proxy" is enabled, the visitor IP is read from X-Forwarded-For header, stored & printed in the admin panel without any sanitization / validation.
Proof of Concept
Set the X-Forwarded-For header to <script>alert(1)</script>, and perform an incorrect login.

Affects Plugin

fixed in version 2.7

References

URL https://wordpress.org/plugins/wp-cerber/changelog/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Gerard Arall
Submitter Website https://github.com/arall
Views 369
Verified No
WPVDB ID 8430

Timeline

Publicly Published 2016-04-01 (over 1 year ago)
Added 2016-04-01 (over 1 year ago)
Last Updated 2016-04-01 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.