{"id":3071,"date":"2024-03-01T19:45:22","date_gmt":"2024-03-01T19:45:22","guid":{"rendered":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/"},"modified":"2024-03-01T19:45:22","modified_gmt":"2024-03-01T19:45:22","slug":"nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/","title":{"rendered":"Nextend Social Login y Register <= 3.1.12 – Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description"},"content":{"rendered":"
El plugin Nextend Social Login y Register para WordPress es vulnerable a un Cross-Site Scripting Reflejado Self-Based a trav\u00e9s del par\u00e1metro ‘error_description’ en todas las versiones hasta, e incluyendo, la 3.1.12 debido a una insuficiente sanitizaci\u00f3n de la entrada y escape de la salida.<\/div>\n

<\/p>\n

Esto permite que atacantes no autenticados, con acceso a una cuenta de nivel de suscriptor, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar con \u00e9xito a un usuario para que realice una acci\u00f3n como hacer clic en un enlace. Es importante tener en cuenta que esta vulnerabilidad puede ser explotada con \u00e9xito en una instancia de WordPress vulnerable contra un usuario de nivel superior pre-autenticado con OAuth (por ejemplo, administrador) aprovechando una falsificaci\u00f3n de solicitudes entre sitios junto con una determinada t\u00e9cnica de ingenier\u00eda social para lograr un escenario de impacto cr\u00edtico (cross-site scripting a creaci\u00f3n de cuentas de nivel de administrador). Sin embargo, la explotaci\u00f3n exitosa requiere que se habilite el ‘Modo de depuraci\u00f3n’ en la secci\u00f3n ‘Configuraci\u00f3n Global’ del plugin.<\/div>\n
Para mitigar este problema, se recomienda actualizar a la \u00faltima versi\u00f3n del plugin Nextend Social Login y Register lo antes posible. Adem\u00e1s, se aconseja deshabilitar el ‘Modo de depuraci\u00f3n’ en la configuraci\u00f3n global del plugin para reducir el riesgo de explotaci\u00f3n de esta vulnerabilidad.<\/div>\n","protected":false},"excerpt":{"rendered":"

El plugin Nextend Social Login y Register para WordPress es vulnerable a un Cross-Site Scripting Reflejado Self-Based a trav\u00e9s del par\u00e1metro ‘error_description’ en todas las versiones hasta, e incluyendo, la 3.1.12 debido a una insuficiente sanitizaci\u00f3n de la entrada y escape de la salida. Esto permite que atacantes no autenticados, con acceso a una cuenta […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[784],"class_list":["post-3071","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2024-1775"],"yoast_head":"\nNextend Social Login y Register <= 3.1.12 - Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nextend Social Login y Register <= 3.1.12 - Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"El plugin Nextend Social Login y Register para WordPress es vulnerable a un Cross-Site Scripting Reflejado Self-Based a trav\u00e9s del par\u00e1metro ‘error_description’ en todas las versiones hasta, e incluyendo, la 3.1.12 debido a una insuficiente sanitizaci\u00f3n de la entrada y escape de la salida. Esto permite que atacantes no autenticados, con acceso a una cuenta […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-01T19:45:22+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/\",\"url\":\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/\",\"name\":\"Nextend Social Login y Register <= 3.1.12 - Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-03-01T19:45:22+00:00\",\"dateModified\":\"2024-03-01T19:45:22+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Nextend Social Login y Register <= 3.1.12 – Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nextend Social Login y Register <= 3.1.12 - Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/","og_locale":"en_US","og_type":"article","og_title":"Nextend Social Login y Register <= 3.1.12 - Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description - SeguridadWordPress.es","og_description":"El plugin Nextend Social Login y Register para WordPress es vulnerable a un Cross-Site Scripting Reflejado Self-Based a trav\u00e9s del par\u00e1metro ‘error_description’ en todas las versiones hasta, e incluyendo, la 3.1.12 debido a una insuficiente sanitizaci\u00f3n de la entrada y escape de la salida. Esto permite que atacantes no autenticados, con acceso a una cuenta […]","og_url":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-03-01T19:45:22+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/","url":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/","name":"Nextend Social Login y Register <= 3.1.12 - Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-03-01T19:45:22+00:00","dateModified":"2024-03-01T19:45:22+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/nextend-social-login-y-register-3-1-12-cross-site-scripting-reflejado-self-based-a-traves-de-error_description\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"Nextend Social Login y Register <= 3.1.12 – Cross-Site Scripting Reflejado Self-Based a trav\u00e9s de error_description"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/3071"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=3071"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/3071\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=3071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=3071"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=3071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}