CVE-2022-1758

Genki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF

EPSS 0.6%CWE-352

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

13 Jun 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings.

Affected products

Unknown · Genki Pre-Publish Reminder

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/211816ce-d2bc-469b-9a8e-e0c2a5c4461b