CVE-2023-4549 — Cross-site Scripting in Dologin Security

CWE-79 — Cross-site Scripting CWE-284 — Improper Access Control4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

1.3%

top 20.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpdo Dologin Security

Timeline

PublishedSep 25

Latest updateNov 14

Description

The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDwpdo/dologin_security< 3.7

🔴Vulnerability Details

CVEList

DoLogin Security < 3.7 - Unauthenticated Stored Cross-Site Scripting↗2023-09-25

▶

GHSA

GHSA-897r-hcfg-v9vh: The DoLogin Security WordPress plugin before 3↗2023-09-25

▶

📋Vendor Advisories

Fortinet

An improper access control vulnerability [CWE-284] in FortiEDRCollectorWindows version 5.2.0.4549 and below, 5.0.3.1007...↗2023-11-14

▶