CVE-2021-43409

Name of the Vulnerable Software and Affected Versions WPO365 | LOGIN WordPress plugin versions up to and including 15.3

Description The WPO365 | LOGIN WordPress plugin is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability. This type of vulnerability occurs when the application stores and retrieves client-supplied data without proper handling of dangerous content. An attacker could exploit this to conduct a range of attacks against users of the affected application, such as session hijacking, account take over, and accessing sensitive data. The XSS payload can be submitted by any anonymous user and renders and executes when a WordPress administrator authenticates and accesses the WordPress Dashboard. The injected payload can carry out actions on behalf of the administrator, including adding other administrative users and changing application settings.

Recommendations For WPO365 | LOGIN WordPress plugin versions up to and including 15.3, update to a version later than 15.3 to resolve the issue. As a temporary workaround, consider restricting access to the WordPress Dashboard for administrators until a patch is available. Avoid using the plugin until the issue is resolved. At the moment, there is no information about additional mitigation measures.