WordPress Plugin Vulnerabilities

DX Share Selection < 1.5 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place when updating its settings and is lacking escaping as well as sanitisation in some of them, which could allow attackers to make a logged in admin change them and put XSS payloads in them via a CSRF attack

Affects Plugins

Plugin icon
dx-share-selection
Fixed in 1.5

References

CVE
CVE-2022-2001

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Sho Sakata
Verified
Yes
WPVDB ID
f4554ee1-28e2-42e7-87be-b4ed8199580c

Timeline

Publicly Published
2022-06-22 (about 3 years ago)
Added
2022-06-22 (about 3 years ago)
Last Updated
2023-03-29 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
User Domain Whitelist 1.4 - user-domain-whitelist.php Domain Whitelisting Manipulation CSRF
Published
2023-02-17
Title
Extensions For CF7 < 2.0.9 - Arbitrary Plugin Activation via CSRF
Published
2024-01-19
Title
Splashscreen <= 0.20 - Settings Update via CSRF
Published
2025-01-16
Title
WP Cookies Alert <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-12-04
Title
Media Library Downloader <= 1.4.0 - Cross-Site Request Forgery