CVE-2021-43409: 
WordPress vulnerability analysis and mitigation

The WPO365 | LOGIN WordPress plugin (versions up to and including 15.3) by wpo365.com contained a persistent Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on September 29, 2021, and was patched on the same day. This security flaw affected WordPress installations using the WPO365 plugin for Microsoft Office 365 and Azure AD integration (AppCheck Advisory).

The vulnerability occurs when rendering OpenID authentication error messages within the WPO365 dashboard. The affected code in ServicesRouter_Service.php processes the error_description POST parameter and writes it to the internal log service without proper sanitization. The vulnerability has a CVSS v3.1 base score of 9.3 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) according to the vendor assessment (NVD).

This persistent XSS vulnerability allows attackers to submit malicious script content that gets stored and later executed when WordPress administrators access the WordPress Dashboard. The executed payload can perform actions with administrator privileges, including adding new administrative users and modifying application settings, potentially leading to full system compromise (AppCheck Advisory).

The vendor released a security update on the same day the issue was reported (September 29, 2021). Users should upgrade to version 15.4 or later of the WPO365 | LOGIN plugin to address this vulnerability (WPO365 Changelog).