CVE-2021-43409 in WPO365 LOGIN Plugininfo

Summary

by MITRE • 11/19/2021

The "WPO365 | LOGIN" WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data. In this case, the XSS payload can be submitted by any anonymous user, the payload then renders and executes when a WordPress administrator authenticates and accesses the WordPress Dashboard. The injected payload can carry out actions on behalf of the administrator including adding other administrative users and changing application settings. This flaw could be exploited to ultimately provide full control of the affected system to the attacker.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 11/22/2021

The CVE-2021-43409 vulnerability affects the WPO365 | LOGIN WordPress plugin version 15.3 and earlier, presenting a critical persistent cross-site scripting flaw that enables attackers to execute malicious code within the context of administrator sessions. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting conditions where untrusted data is incorporated into web pages without proper sanitization or encoding mechanisms. The flaw exists in how the plugin processes user input during the authentication flow, particularly when administrators access the WordPress dashboard after malicious payloads have been submitted by anonymous users.

The technical implementation of this vulnerability allows any unauthenticated user to inject malicious scripts into the plugin's data handling mechanisms. When the WordPress administrator subsequently authenticates and navigates to the dashboard, the stored malicious code executes within their browser context, creating a second-order XSS condition. This persistent nature means the payload remains stored within the application's database or storage mechanisms and executes automatically whenever the affected page is accessed. The vulnerability specifically targets the authentication and dashboard access phases, making it particularly dangerous as it can be exploited during legitimate administrative activities.

The operational impact of this vulnerability extends far beyond simple script execution, as it provides attackers with the capability to fully compromise the affected WordPress installation. The XSS payload can perform administrative actions such as creating new administrator accounts, modifying plugin settings, and accessing sensitive system information that would normally be restricted to authorized personnel. This represents a significant escalation from typical XSS attacks, as the attacker gains elevated privileges within the application context. The vulnerability creates a persistent backdoor that can be leveraged for ongoing access and data exfiltration, making it particularly attractive for attackers seeking long-term system compromise.

Security practitioners should immediately implement mitigations including updating to the patched version of the WPO365 | LOGIN plugin, implementing web application firewalls to detect and block suspicious script payloads, and conducting comprehensive security audits of all installed WordPress plugins. The vulnerability demonstrates the critical importance of input validation and output encoding in authentication flows, aligning with ATT&CK technique T1566 which covers social engineering tactics including credential access through web-based attacks. Organizations should also consider implementing content security policies to prevent execution of unauthorized scripts and establish monitoring procedures to detect unusual administrative activities that might indicate compromise. The incident underscores the necessity of regular security assessments and the importance of maintaining up-to-date software components to prevent exploitation of known vulnerabilities.

Responsible

[email protected]

Reservation

11/05/2021

Disclosure

11/19/2021

Moderation

accepted

CPE

ready

EPSS

0.00937

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!