CVE-2022-0450

Published: Mar 28, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend

Affected (1)

Products: Freshlightlab: Menu Image, Icons Made Easy

1 product

Menu Image, Icons Made Easy

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Freshlightlab Menu Image, Icons Made Easy	Before 3.0.8

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (2)

https://wpscan.com/vulnerability/612f9273-acc8-4be6-b372-33f1e687f54a

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/612f9273-acc8-4be6-b372-33f1e687f54a

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.