WordPress Plugin Vulnerabilities

Hermit <= 3.1.6 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in when creating a source, and does not sanitise as well as escape the title, which could allow attackers to make a logged in user create an arbitrary source with an XSS payload in it

Affects Plugins

Plugin icon
hermit
No known fix

References

CVE
CVE-2022-29413

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Ex.Mi
Verified
No
WPVDB ID
a76c98ea-b765-4002-b16b-f2131fe906cd

Timeline

Publicly Published
2022-04-28 (about 4 years ago)
Added
2022-04-28 (about 4 years ago)
Last Updated
2022-04-29 (about 4 years ago)

Other

Published
Title
Published
2025-01-16
Title
Slider for Writers <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-07
Title
Instabot <= 1.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-03-28
Title
IP Blocker Lite <= 11.1.1 - Cross-Site Request Forgery
Published
2023-07-10
Title
Multiple Plugins from Addify - Multiple CSRF
Published
2024-05-07
Title
Barcode Scanner with Inventory & Order Manager < 1.5.5 - Cross-Site Request Forgery