Vulnerability Summary
A critical Reflected Cross-Site Scripting (XSS) vulnerability was discovered in a captive WiFi portal, allowing an unauthenticated attacker to steal the credentials of any user connecting via a malicious URL.
A critical Reflected Cross-Site Scripting (XSS) vulnerability was discovered in a captive WiFi portal, allowing an unauthenticated attacker to steal the credentials of any user connecting via a malicious URL. The portal reflects a URL tracking parameter (the device identifier) directly into a hidden <input> field during the authentication response, without applying any HTML encoding or sanitization. When the victim submits their login credentials, the injected <script> tag executes within the context of the trusted portal domain—before the page's own auto-submit mechanism can react—allowing the attacker to silently redirect the credentials to an arbitrary server.
The initial endpoint GET /auth/portalMenu stores the device_id URL parameter in the local HTTP session. When the victim enters their details and clicks login, the request is sent to the POST /auth/VerifyCredentials endpoint. This server-generated response embeds the previously saved session value inside an <input value="..."> attribute without encoding dangerous characters such as ", <, or >. This allows an attribute breakout and, consequently, the injection of JavaScript code for immediate execution.
tonysecGeneric XSS caused by improper handling of user-controlled input in the URL path
pyus3rThis writeup details a high-severity Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2025-24752) discovered in the Essential Addons for Elementor plugin for WordPress (by WPDeveloper).
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In