CVE-2022-0450

🗓️ 28 Mar 2022 17:22:50Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 73 Views🌐 WEB

Menu Image, Icons made easy WordPress plugin before 3.0.6 lacks authorization and CSRF checks, allowing authenticated users to update settings and inject XSS payloads

Reporter	Title	Published	Views	Family All 11
CNNVD	WordPress plugin Menu Image, Icons made easy 跨站脚本漏洞	28 Mar 202200:00	–	cnnvd
Cvelist	CVE-2022-0450 Menu Image, Icons made easy < 3.0.8 - Subscriber+ Stored Cross-Site Scripting	28 Mar 202217:22	–	cvelist
EUVD	EUVD-2022-15589	3 Oct 202520:07	–	euvd
NVD	CVE-2022-0450	28 Mar 202218:15	–	nvd
OpenVAS	WordPress Menu Image, Icons Made Easy Plugin < 3.0.6 XSS Vulnerability	31 Jul 202300:00	–	openvas
Patchstack	WordPress Menu Image, Icons made easy plugin <= 3.0.7 - Stored Cross-Site Scripting (XSS) vulnerability	7 Mar 202200:00	–	patchstack
Prion	Cross site scripting	28 Mar 202218:15	–	prion
Positive Technologies	PT-2022-13194 · WordPress · The Menu Image	28 Mar 202200:00	–	ptsecurity
RedhatCVE	CVE-2022-0450	22 May 202522:04	–	redhatcve
wpexploit	Menu Image, Icons made easy < 3.0.8 - Subscriber+ Stored Cross-Site Scripting	7 Mar 202200:00	–	wpexploit

NVD

Vulners

Node

freshlightlab menu_image,_icons_made_easyRange<3.0.8wordpress

[
  {
    "vendor": "Unknown",
    "product": "Menu Image, Icons made easy",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "3.0.6"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/612f9273-acc8-4be6-b372-33f1e687f54a

Parameter	Position	Path	Description	CWE
action	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116
menu_item_id	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116
menu_item_image_title_position	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116
menu_item_image_type	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116
menu_item_image_size	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116
menu_item_image_button	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116
menu_image_icon	request body	wp-admin/admin-ajax.php	Saving menu settings lacks authorization/CSRF checks and input validation, allowing authenticated users (e.g., subscribers) to inject XSS payloads into menu configurations that are rendered in the frontend.	CWE-116

21 Nov 2024 06:38Current

5.4Medium risk

Vulners AI Score5.4

CVSS 23.5

CVSS 3.15.4

EPSS0.00247

CWE-116