CVE-2022-0422

White Label MS < 2.2.9 - Reflected Cross-Site Scripting

EPSS 8.1%CWE-79

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 8.1%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

07 Mar 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue

Affected products

Unknown · White Label CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2672615 https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc