Ver todas as ameaças

CVE-2022-0220

Alvo: Não informado

Descrição

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an “application/json” content-type. Since an HTML payload isn’t properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim’s browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)

Software
Não informado
Tipo Software
Plugin
CVE
CVE-2022-0220
Tags
Nâo informado
Data de publicação
01/02/2022
Última atualização
08/11/2023
Pontuação em CVSS 3.0
6.1
Médio
Rolar para cima