CVE-2022-1781

🗓️ 13 Jun 2022 12:42:52Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 66 Views🌐 WEB

The postTabs WordPress plugin lacks CSRF check, enabling attackers to exploit a logged-in admin via CSRF attack for settings change and Stored XSS due to lack of sanitization

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2022-1781	13 Jun 202213:15	–	attackerkb
Circl	CVE-2022-1781	13 Jun 202216:22	–	circl
CNNVD	WordPress plugin postTabs 跨站请求伪造漏洞	13 Jun 202200:00	–	cnnvd
CNVD	WordPress postTabs plugin cross-site request forgery vulnerability	15 Jun 202200:00	–	cnvd
Cvelist	CVE-2022-1781 postTabs <= 2.10.6 - Arbitrary Settings Update via CSRF to Stored XSS	13 Jun 202212:42	–	cvelist
EUVD	EUVD-2022-25062	3 Oct 202520:07	–	euvd
NVD	CVE-2022-1781	13 Jun 202213:15	–	nvd
OSV	CVE-2022-1781	13 Jun 202213:15	–	osv
Patchstack	WordPress postTabs plugin <= 2.10.6 - Arbitrary Settings Update via CSRF vulnerability leading to XSS	23 May 202200:00	–	patchstack
Prion	Cross site scripting	13 Jun 202213:15	–	prion

NVD

Vulners

Node

posttabs_project posttabsRange≤2.10.6wordpress

[
  {
    "product": "postTabs",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "2.10.6",
        "status": "affected",
        "version": "2.10.6",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/7f2ae2c9-57d4-46a0-a9a1-585ec543b153

Parameter	Position	Path	Description	CWE
line	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
active_font	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
active_bg	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
over_font	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
over_bg	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
inactive_font	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
inactive_bg	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
align	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
TOC_title	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352
TOC	request body	wp-admin/options-general.php?page=postTabs.php	CSRF vulnerability allowing a logged-in admin to update plugin settings via a forged request (CSRF), with stored XSS due to lack of sanitisation/escaping.	CWE-352

21 Nov 2024 06:41Current

5.2Medium risk

Vulners AI Score5.2

CVSS 23.5

CVSS 3.15.4

EPSS0.00084

CWE-352