Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by uleak-security-dashboard_project
CVE-2022-1557 (GCVE-0-2022-1557)
Vulnerability from cvelistv5 – Published: 2022-05-16 14:31 – Updated: 2024-08-03 00:10
VLAI
Title
ULeak Security & Monitoring <= 1.2.3 - Subscriber+ Stored Cross-Site Scripting
Summary
The ULeak Security & Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e2b6dbf5-8709-4a… | x_refsource_MISC |
| https://packetstormsecurity.com/files/166564/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | ULeak Security & Monitoring Plugin |
Affected:
1.2.3 , ≤ 1.2.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:02.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e2b6dbf5-8709-4a2c-90be-3214ff55ed56"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/166564/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ULeak Security \u0026 Monitoring Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2.3",
"status": "affected",
"version": "1.2.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hassan Khan Yusufzai - Splint3r7"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ULeak Security \u0026 Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T14:31:11.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e2b6dbf5-8709-4a2c-90be-3214ff55ed56"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/166564/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ULeak Security \u0026 Monitoring \u003c= 1.2.3 - Subscriber+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1557",
"STATE": "PUBLIC",
"TITLE": "ULeak Security \u0026 Monitoring \u003c= 1.2.3 - Subscriber+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ULeak Security \u0026 Monitoring Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.2.3",
"version_value": "1.2.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Hassan Khan Yusufzai - Splint3r7"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ULeak Security \u0026 Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e2b6dbf5-8709-4a2c-90be-3214ff55ed56",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e2b6dbf5-8709-4a2c-90be-3214ff55ed56"
},
{
"name": "https://packetstormsecurity.com/files/166564/",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/166564/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1557",
"datePublished": "2022-05-16T14:31:11.000Z",
"dateReserved": "2022-05-03T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:02.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}