CVE-2023-47182
📋 TL;DR
This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to Stored Cross-Site Scripting (XSS) in the Nazmul Hossain Nihal Login Screen Manager WordPress plugin. Attackers can inject malicious scripts that execute when users visit the login screen, potentially stealing credentials or performing unauthorized actions. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Nazmul Hossain Nihal Login Screen Manager WordPress Plugin
📦 What is this software?
Login Screen Manager by Nazmulhossainnihal
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, takes over WordPress sites, or redirects users to phishing pages whenever they visit the login screen.
Likely Case
Attackers inject malicious scripts that steal user session cookies or credentials, potentially compromising user accounts and site security.
If Mitigated
With proper CSRF protections and input validation, the attack would fail at the initial CSRF stage, preventing XSS injection entirely.
🎯 Exploit Status
The vulnerability requires tricking authenticated users into visiting a malicious page, but no authentication is needed for the CSRF/XSS payload execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 3.5.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Login Screen Manager' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Login Screen Manager plugin until patched
wp plugin deactivate login-screen-manager
Implement CSRF protection
allAdd WordPress nonce verification to plugin forms if custom patching
Add wp_nonce_field() and wp_verify_nonce() to plugin code
🧯 If You Can't Patch
- Remove the Login Screen Manager plugin completely and use alternative login customization methods
- Implement web application firewall (WAF) rules to block XSS payloads targeting login endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Login Screen Manager > Version. If version is 3.5.2 or lower, you are vulnerable.Check Version:
wp plugin get login-screen-manager --field=versionVerify Fix Applied:
Verify plugin version is > 3.5.2 in WordPress admin panel, or test CSRF protection by attempting to submit forms without valid nonce tokens.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php or plugin-specific endpoints
- JavaScript injection patterns in login page requests
- Multiple failed login attempts from same IP after plugin modification
Network Indicators:
- HTTP requests containing malicious script tags targeting login endpoints
- CSRF attacks originating from external domains to plugin admin endpoints
SIEM Query:
source="wordpress.log" AND ("login-screen-manager" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=")🔗 References
- https://patchstack.com/database/vulnerability/login-screen-manager/wordpress-login-screen-manager-plugin-3-5-2-unauth-stored-cross-site-scripting-xss-via-csrf-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/login-screen-manager/wordpress-login-screen-manager-plugin-3-5-2-unauth-stored-cross-site-scripting-xss-via-csrf-vulnerability?_s_id=cve
