CVE-2022-2540
🟡 Monitoruj
Brak walidacji nonce w wtyczce Link Optimizer Lite umożliwia atak Cross-Site Request Forgery i XSS.
CVSS
8.8
EPSS
0.2%
Exploit
none
Vendor
link_optimizer_lite_project
Opis źródłowy (NVD)
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.2% |
| Opublikowano (NVD) | 2022-09-06 18:15:14 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 19:17:52 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/link-optimizer-lite/1.4.5/admin.php#L20 (security@wordfence.com) [Patch, Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ca64692b-b194-4ceb-975e-72e4041252f2?source=cve (security@wordfence.com)
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2540 (security@wordfence.com) [Third Party Advisory]