CVE-2022-0201

Permalink Manager < 2.2.15 - Reflected Cross-Site Scripting

EPSS 3.4%CWE-79

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 3.4%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

14 Feb 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue

Affected products

Maciej Bis · Permalink Manager Lite Maciej Bis · Permalink Manager Pro

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2656512 https://wpscan.com/vulnerability/f274b0d8-74bf-43de-9051-29ce36d78ad4