CVE-2022-0220 PoC — WordPress plugin 跨站脚本漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0220.yaml

Associated Vulnerability

Title:WordPress plugin 跨站脚本漏洞 (CVE-2022-0220)
Description:WordPress plugin是WordPress开源的一个应用插件。 WordPress plugin GDPR 插件存在跨站脚本漏洞，该漏洞源于1.9.27之前的WordPress GDPR WordPress插件的检查隐私设置AJAX动作，对未经认证和已认证的用户都可用，响应JSON数据，而不是应用JSON内容类型。由于HTML有效载荷没有被正确转义，它可能被web浏览器解释到这个端点。Javascript代码可能会在受害者的浏览器上执行。

Description

WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The check_privacy_settings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a victim's browser.

File Snapshot


 id: CVE-2022-0220

info:
  name: WordPress GDPR & CCPA <1.9.27 -  Cross-Site Scripting
  author: daf

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!