Vulnerabilites related to Unknown - Profile Builder – User Profile & User Registration Forms
CVE-2022-0884 (GCVE-0-2022-0884)
Vulnerability from cvelistv5
Published
2022-04-04 15:35
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Profile Builder – User Profile & User Registration Forms |
Version: 3.6.8 < 3.6.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:41.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/af06b96c-105f-429c-b2ad-c8c823897dba"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2690776"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Profile Builder \u2013 User Profile \u0026 User Registration Forms",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.6.8",
"status": "affected",
"version": "3.6.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Abhinav Porwal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T15:35:55",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/af06b96c-105f-429c-b2ad-c8c823897dba"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2690776"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Profile Builder \u003c 3.6.8 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0884",
"STATE": "PUBLIC",
"TITLE": "Profile Builder \u003c 3.6.8 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Profile Builder \u2013 User Profile \u0026 User Registration Forms",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.6.8",
"version_value": "3.6.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Abhinav Porwal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/af06b96c-105f-429c-b2ad-c8c823897dba",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/af06b96c-105f-429c-b2ad-c8c823897dba"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2690776",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2690776"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0884",
"datePublished": "2022-04-04T15:35:55",
"dateReserved": "2022-03-08T00:00:00",
"dateUpdated": "2024-08-02T23:47:41.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}