CVE-2022-4115

The Editorial Calendar WordPress plugin before 3.8.3 does not sanitise and escape its settings, allowing users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4	Exploit Third Party Advisory
https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:editorial_calendar_project:editorial_calendar:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:34

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4 - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4 - Exploit, Third Party Advisory

14 Aug 2023, 11:15

Type	Values Removed	Values Added
Summary	The Editorial Calendar WordPress plugin through 3.7.12 does not sanitise and escape its settings, allowing users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users.	The Editorial Calendar WordPress plugin before 3.8.3 does not sanitise and escape its settings, allowing users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users.

03 Jul 2023, 20:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-27 14:15

Updated : 2024-11-21 07:34

NVD link : CVE-2022-4115

Mitre link : CVE-2022-4115

CVE.ORG link : CVE-2022-4115

JSON object : View

Products Affected

editorial_calendar_project

editorial_calendar

CWE

No CWE.

{"id": "CVE-2022-4115", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-06-27T14:15:10.077", "references": [{"url": "https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "The Editorial Calendar WordPress plugin before 3.8.3 does not sanitise and escape its settings, allowing users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users."}], "lastModified": "2024-11-21T07:34:36.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:editorial_calendar_project:editorial_calendar:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "A66D4176-1FDA-4F4E-913C-0DAB74158EBC", "versionEndIncluding": "3.7.12"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}

5.4 /10