The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
2023-01-02T22:15:16.500
2025-04-10T19:15:51.547
Modified
CVSSv3.1: 4.8 (MEDIUM)
-
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | miniorange | login_with_cognito | ≤ 1.4.8 | Yes |