vendor:
User Login Log Plugin
by:
Summer of Pwnage
8,8
CVSS
HIGH
Stored Cross-Site Scripting
79
CWE
Product Name: User Login Log Plugin
Affected Version From: 2.2.1
Affected Version To: 2.2.1
Patch Exists: NO
Related CWE: N/A
CPE: a:wordpress:user_login_log_plugin
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016
Stored Cross-Site Scripting Vulnerability in User Login Log WordPress Plugin
A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.
Mitigation:
There is currently no fix available.
