miniOrange SAML SP Single Sign On WordPress Plugin versionĀ 4.8.72 and below are vulnerable to a Cross Site Scripting attack via a specially crafted SAMLReponse XML payload.
This exploit works by passing a crafted SAMLReponse and RelayState variable to https://victim.com/wp-login.php
It will then parse out the SAMLResponse message and in the event that the SAML is anything other than a “Success” the script will dump the contents of the expected parameter, so you can inject any HTML into this variable.
For example a SAMLResponse payload will look like this:
This payload will need to be Base64 encoded and sent as a “SAMLReponse” parameter along with RelayState=testValidate.
Proof of concept: