CVE-2022-2542
🟡 Monitoruj
Brak walidacji nonce w wtyczce Clickbank dla WordPressa umożliwia atak XSS przez CSRF.
CVSS
8.8
EPSS
0.3%
Exploit
none
Vendor
summitmediaconcepts
Opis źródłowy (NVD)
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.3% |
| Opublikowano (NVD) | 2022-09-06 18:15:14 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 18:17:26 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/ucontext/trunk/app/Ucontext_Ajax.php (security@wordfence.com) [Patch, Third Party Advisory]
- https://plugins.trac.wordpress.org/browser/ucontext/trunk/app/sites/ajax/actions/keyword_save.php (security@wordfence.com) [Patch, Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4af83d4b-2eae-481f-b3fd-d5bcacc1d709?source=cve (security@wordfence.com) [Third Party Advisory]
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2542 (security@wordfence.com) [Third Party Advisory]