6.1
CVE-2022-1756
- EPSS 1.79%
- Veröffentlicht 13.06.2022 13:15:11
- Zuletzt bearbeitet 21.11.2024 06:41:24
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginNewsletter < 7.4.5 - Reflected Cross-Site Scripting
Newsletter – Send awesome emails from WordPress <= 7.4.4 - Reflected Cross-Site Scripting
The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.
Mögliche Gegenmaßnahme
Newsletter – Send awesome emails from WordPress: Update to version 7.4.5, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Thenewsletterplugin ≫ Newsletter SwPlatformwordpress Version < 7.4.5
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Newsletter – Send awesome emails from WordPress
Version
*-7.4.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.79% | 0.754 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072
https://www.wordfence.com/threat-intel/vulnerabilities/id/e136ab52-a193-430b-b2b2-d7640d009c99