Search criteria

1 vulnerability by quick_subscribe_project

CVE-2022-1792 (GCVE-0-2022-1792)

Vulnerability from cvelistv5 – Published: 2022-06-13 12:43 – Updated: 2024-08-03 00:16
VLAI
Title
Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS
Summary
The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them
Severity
No CVSS data available.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
Unknown Quick Subscribe Affected: 1.7.1 , ≤ 1.7.1 (custom)
Create a notification for this product.
Credits
Daniel Ruf
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:16:59.933Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/44555c79-480d-4b6a-9fda-988183c06909"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Quick Subscribe",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThanOrEqual": "1.7.1",
              "status": "affected",
              "version": "1.7.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Daniel Ruf"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-13T12:43:00.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/44555c79-480d-4b6a-9fda-988183c06909"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Quick Subscribe \u003c= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-1792",
          "STATE": "PUBLIC",
          "TITLE": "Quick Subscribe \u003c= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Quick Subscribe",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.7.1",
                            "version_value": "1.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Daniel Ruf"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/44555c79-480d-4b6a-9fda-988183c06909",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/44555c79-480d-4b6a-9fda-988183c06909"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-1792",
    "datePublished": "2022-06-13T12:43:00.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:16:59.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}