Lucene search
Kunal SharmaWPVDB-ID:A70AD549-2E09-44FB-B894-4271AD4A84F6HistoryNov 03, 2022 - 12:00 a.m.
Showing URL in QR Code <= 0.0.1 - Stored XSS via CSRF
2022-11-0300:00:00
Kunal Sharma
wpscan.com
2
xss via csrf
stored xss
csrf attack
plugin vulnerability
csrf check
sanitisation
escaping
logged in admin
editor.
0.001 Low
EPSS
Percentile
30.4%
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin or editor add Stored XSS payloads via a CSRF attack
PoC
Make a logged in editor or admin open a page with the below payload checkbox-nested-2|
—|—
bg_color|
colorDark|
colorLight|
width|
height|
urlinqrcoed-submit|
| CPE | Name | Operator | Version |
|---|---|---|---|
| get-site-to-phone-by-qr-code | eq | * |
Related
prion
prion
Cross site request forgery (csrf)
2022-11-28 14:15:00
cnvd
cnvd
WordPress Showing URL in QR Code plugin cross-site scripting vulnerability
2022-11-30 00:00:00
cve
cve
CVE-2022-3847
2022-11-28 14:15:17
nvd
nvd
CVE-2022-3847
2022-11-28 14:15:17
cvelist
cvelist
CVE-2022-3847 Showing URL in QR Code <= 0.0.1 - Stored XSS via CSRF
2022-11-28 13:50:08
wpexploit
wpexploit
Showing URL in QR Code <= 0.0.1 - Stored XSS via CSRF
2022-11-03 00:00:00