CVE-2022-3149

Published: Oct 17, 2022Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting

Affected (1)

Products: Wp Custom Cursors Project: Wp Custom Cursors

Wp Custom Cursors Project

1 product

Wp Custom Cursors

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wp Custom Cursors Project Wp Custom Cursors	Before 3.0.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://wpscan.com/vulnerability/4c13a93d-2100-4721-8937-a1205378655f

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/4c13a93d-2100-4721-8937-a1205378655f

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.