5.4
CVE-2022-2600
- EPSS 0.2%
- Veröffentlicht 22.08.2022 15:15:15
- Zuletzt bearbeitet 21.11.2024 07:01:19
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginAuto-hyperlink URLs <= 5.4.1 - Tab Nabbing
The Auto-hyperlink URLs WordPress plugin through 5.4.1 does not set rel="noopener noreferer" on generated links, which can lead to Tab Nabbing by giving the target site access to the source tab through the window.opener DOM object.
Mögliche Gegenmaßnahme
Auto-hyperlink URLs: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Auto-hyperlink URLs
Version
*-5.4.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Auto-hyperlink Urls Project ≫ Auto-hyperlink Urls SwPlatformwordpress Version <= 5.4.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.418 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
CWE-1022 Use of Web Link to Untrusted Target with window.opener Access
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.