CVE-2014-6312

Login Widget With Shortcode < 3.2.1 - CSRF and Stored XSS via custom_style_afo

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6312. PoCs published by dxw.

AI-analyzed exploit summary This exploit demonstrates a CSRF/XSS vulnerability in the Login Widget With Shortcode WordPress plugin (version 3.1.1). It allows unauthenticated attackers to inject arbitrary HTML/JavaScript into admin pages, enabling actions such as creating user accounts or deleting posts.

Description

Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php.

Exploits (1)

exploitdb WORKING POC

by dxw · textwebappsphp

https://www.exploit-db.com/exploits/34762

View Code ZIP pw:eip

This exploit demonstrates a CSRF/XSS vulnerability in the Login Widget With Shortcode WordPress plugin (version 3.1.1). It allows unauthenticated attackers to inject arbitrary HTML/JavaScript into admin pages, enabling actions such as creating user accounts or deleting posts.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Login Widget With Shortcode 3.1.1

No auth needed

Prerequisites: Admin user must visit a malicious link or form

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Sep/58

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/34762

Product x_refsource_confirm

https://wordpress.org/plugins/login-sidebar-widget/changelog

Exploit x_refsource_misc

https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/show/osvdb/111757

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/show/osvdb/111700

Scores

EPSS 0.0415

EPSS Percentile 89.6%

Details

CWE

CWE-79

Status published

Products (7)

login_widget_with_shortcode_project/login_widget_with_shortcode 1.0.1

login_widget_with_shortcode_project/login_widget_with_shortcode 2.0.1

login_widget_with_shortcode_project/login_widget_with_shortcode 2.0.2

login_widget_with_shortcode_project/login_widget_with_shortcode 2.1.3

login_widget_with_shortcode_project/login_widget_with_shortcode 2.2.3

login_widget_with_shortcode_project/login_widget_with_shortcode 2.2.4

login_widget_with_shortcode_project/login_widget_with_shortcode < 3.1.1

Published Oct 15, 2014

Tracked Since Feb 18, 2026