Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html Abstract A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. Contact For feedback or questions about this advisory mail us at sumofpwn at securify.nl The Summer of Pwnage This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam. OVE ID OVE-20160724-0011 Tested versions This issue was successfully tested on User Login Log WordPress Plugin version 2.2.1. Fix There is currently no fix available. Introduction The User Login Log WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. Details This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php. function column_default($item, $column_name) { [...] switch($column_name){ [...] default: return $item[$column_name]; } } Proof of concept: POST /wp-login.php HTTP/1.1 Host: User-Agent: XSSXSS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Accept-Encoding: gzip,deflate,lzma,sdch Cookie: wordpress_test_cookie=WP+Cookie+check Connection: close Content-Type: application/x-www-form-urlencoded log=&pwd=&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1