CVE-2021-24658 in Erident Custom Login and Dashboard Plugin
Summary
by MITRE • 08/23/2021
The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/26/2021
The Erident Custom Login and Dashboard WordPress plugin version 3.5.8 and earlier contained a critical cross-site scripting vulnerability that allowed attackers with high privilege user accounts to execute malicious scripts within the context of the affected WordPress installation. This vulnerability specifically exploited improper sanitization of user settings within the plugin's administrative interface, creating a persistent security weakness that could be leveraged by authenticated users to compromise the entire WordPress environment. The flaw existed despite the WordPress installation having the unfiltered_html capability disabled, which typically prevents users from injecting malicious code into the system.
The technical nature of this vulnerability stems from the plugin's failure to properly validate and sanitize user input within its settings management functionality. When high privilege users accessed the plugin's administrative panels to modify configuration settings, the application did not adequately filter or escape potentially malicious input that could contain script tags or other XSS payloads. This improper sanitization allowed attackers to inject JavaScript code that would execute in the browsers of other users who visited the affected WordPress admin areas or frontend pages where the plugin was active. The vulnerability falls under the CWE-79 category for Cross-Site Scripting, specifically representing a failure to properly escape output in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a foothold for more sophisticated attacks within the WordPress environment. High privilege users with access to plugin settings could craft persistent XSS payloads that would execute whenever other administrators or users viewed the affected pages, potentially leading to session hijacking, privilege escalation, or data exfiltration. The vulnerability is particularly concerning because it operates within the administrative context of WordPress, where attackers could leverage the compromised system to gain deeper access to the entire website infrastructure, including user databases and other plugin configurations.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to version 3.5.9 or later, which contain the necessary sanitization fixes. Administrators should also implement additional security measures including regular monitoring of plugin updates, restricting administrative privileges to only essential personnel, and implementing content security policies to prevent unauthorized script execution. The vulnerability demonstrates the importance of proper input validation and output escaping in web applications, aligning with ATT&CK technique T1059.001 for command and script injection. Organizations should also consider implementing web application firewalls and regular security audits to identify similar sanitization flaws in other plugins or custom code within their WordPress installations, as this type of vulnerability commonly affects poorly secured user input handling within content management systems.