WordPress Plugin Vulnerabilities

Progressive License <= 1.1.0 - CSRF to Stored XSS

Description

The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.

Proof of Concept

Affects Plugins

Plugin icon
progressive-license
No known fix

References

CVE
CVE-2022-2171

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
11937296-7ecf-4b94-b274-06f7990dbede

Timeline

Publicly Published
2022-07-07 (about 3 years ago)
Added
2022-07-07 (about 3 years ago)
Last Updated
2023-04-10 (about 2 years ago)

Other

Published
Title
Published
2025-06-27
Title
Burst Statistics < 2.0.8 - Cross-Site Request Forgery
Published
2024-01-31
Title
Setka Editor <= 2.1.20 - Cross-Site Request Forgery via handleRequest
Published
2021-07-27
Title
uListing < 2.0.6 - Multiple CSRF
Published
2024-01-30
Title
Don't Muck My Markup <= 1.8 - Cross-Site Request Forgery
Published
2024-11-01
Title
Dynamic Widgets < 1.6.5 - Cross-Site Request Forgery