CVE-2022-2541
🟡 Monitoruj
Brak walidacji nonce w wtyczce uContext dla WordPressa umożliwia atak Cross-Site Scripting.
CVSS
8.8
EPSS
0.3%
Exploit
none
Vendor
summitmediaconcepts
Opis źródłowy (NVD)
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.3% |
| Opublikowano (NVD) | 2022-09-06 18:15:14 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 17:16:45 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/ucontext-for-amazon/trunk/app/Ucontext4a_Ajax.php (security@wordfence.com) [Patch]
- https://plugins.trac.wordpress.org/browser/ucontext-for-amazon/trunk/app/sites/ajax/actions/keyword_save.php (security@wordfence.com) [Patch, Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7c43d4-cf21-4324-bc77-50bdc2c24661?source=cve (security@wordfence.com) [Third Party Advisory]
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2541 (security@wordfence.com) [Third Party Advisory]