4.8
CVE-2022-0376
- EPSS 0.28%
- Veröffentlicht 30.05.2022 09:15:08
- Zuletzt bearbeitet 21.11.2024 06:38:29
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginUser Meta <= 2.4.2 - Authenticated (Admin+) Cross-Site Scripting
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Mögliche Gegenmaßnahme
User Meta – User Profile Builder and User management plugin: Update to version 2.4.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
User Meta – User Profile Builder and User management plugin
Version
* - 2.4.2
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
User-meta ≫ User Meta User Profile Builder And User Management SwPlatformwordpress Version < 2.4.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.512 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.