Lucene search

PatchstackCVELIST:CVE-2022-29422

HistoryApr 28, 2022 - 12:00 a.m.

CVE-2022-29422 WordPress Countdown & Clock plugin <= 2.3.2 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

2022-04-2800:00:00

CWE-79

Patchstack

www.cve.org

wordpress

countdown & clock plugin

cve-2022-29422

authenticated

persistent

cross-site scripting

xss

adam skaat

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L

EPSS

0.001

Percentile

19.4%

JSON

Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat’s Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.

CNA Affected

[
  {
    "product": "Countdown & Clock (WordPress plugin)",
    "vendor": "Adam Skaat",
    "versions": [
      {
        "lessThanOrEqual": "2.3.2",
        "status": "affected",
        "version": "<= 2.3.2",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/countdown-builder/wordpress-countdown-clock-plugin-2-3-0-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities

wordpress.org/plugins/countdown-builder/#developers