CVE-2022-1756

Newsletter < 7.4.5 - Reflected Cross-Site Scripting

EPSS 1.8%CWE-79

Vexday Risk Score

18Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS —EPSS 1.8%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

13 jun 2022Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

Productos afectados

Unknown · Newsletter – Send awesome emails from WordPress

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072