Zero-day vulnerability in Login/Signup Popup ( Inline Form + Woocommerce )

Stored cross-site scripting

The vulnerability exploitation was detected on May 14, 2020. The authenticated attackers can inject, via the AJAX API, JavaScript code into the pluginтАЩs settings and use it to target the administrator in the backend of WordPress.

Vulnerability details

Advisory: SB2020051510 - Stored cross-site scripting in Login/Signup Popup plugin for WordPress

Vulnerable component: Login/Signup Popup ( Inline Form + Woocommerce )

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description:

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: The vulnerability is being actively exploited in the wild.