CVE-2022-4227 (GCVE-0-2022-4227)
Vulnerability from cvelistv5 – Published: 2022-12-26 12:28 – Updated: 2025-04-14 14:08
VLAI?
Summary
The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
Severity ?
6.1 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Unknown | Booster for WooCommerce |
Affected:
0 , < 5.6.3
(custom)
|
||||||||||||
|
||||||||||||||
Credits
WPScan
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:34:50.008Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:08:44.932351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:08:53.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Booster for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Booster Plus for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Booster Elite for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "WPScan"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T09:11:07.085Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Booster for WooCommerce - Reflected Cross-Site Scripting",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4227",
"datePublished": "2022-12-26T12:28:11.362Z",
"dateReserved": "2022-11-30T09:44:56.666Z",
"dateUpdated": "2025-04-14T14:08:53.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:booster:booster_elite_for_woocommerce:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"6.0.0\", \"matchCriteriaId\": \"A1FACFE0-A020-4C6E-97D0-33379E099105\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"5.6.3\", \"matchCriteriaId\": \"544E1476-3E5F-42FF-9B2B-0B6FB54656D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:booster:booster_plus_for_woocommerce:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"6.0.0\", \"matchCriteriaId\": \"73A30B72-C945-490B-9570-8E9A3CFB616E\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting\"}, {\"lang\": \"es\", \"value\": \"El complemento Booster para WooCommerce de WordPress anterior a 5.6.3, el complemento de WordPress Booster Plus para WooCommerce anterior a 6.0.0 y el complemento de WordPress Booster Elite para WooCommerce anterior a 6.0.0 no escapan de algunas URL y par\\u00e1metros antes de devolverlos en atributos, lo que lleva a Cross-Site Scripting Reflejado\"}]",
"id": "CVE-2022-4227",
"lastModified": "2024-11-21T07:34:49.770",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
"published": "2022-12-26T13:15:13.777",
"references": "[{\"url\": \"https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-4227\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-12-26T13:15:13.777\",\"lastModified\":\"2025-04-14T14:15:22.950\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting\"},{\"lang\":\"es\",\"value\":\"El complemento Booster para WooCommerce de WordPress anterior a 5.6.3, el complemento de WordPress Booster Plus para WooCommerce anterior a 6.0.0 y el complemento de WordPress Booster Elite para WooCommerce anterior a 6.0.0 no escapan de algunas URL y par\u00e1metros antes de devolverlos en atributos, lo que lleva a Cross-Site Scripting Reflejado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:booster:booster_elite_for_woocommerce:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"A1FACFE0-A020-4C6E-97D0-33379E099105\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"5.6.3\",\"matchCriteriaId\":\"544E1476-3E5F-42FF-9B2B-0B6FB54656D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:booster:booster_plus_for_woocommerce:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"73A30B72-C945-490B-9570-8E9A3CFB616E\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:34:50.008Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-4227\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-14T14:08:44.932351Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-14T14:08:38.983Z\"}}], \"cna\": {\"title\": \"Booster for WooCommerce - Reflected Cross-Site Scripting\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"WPScan\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"WPScan\"}], \"affected\": [{\"vendor\": \"Unknown\", \"product\": \"Booster for WooCommerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.6.3\", \"versionType\": \"custom\"}], \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Unknown\", \"product\": \"Booster Plus for WooCommerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Unknown\", \"product\": \"Booster Elite for WooCommerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\"]}], \"x_generator\": {\"engine\": \"WPScan CVE Generator\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-79 Cross-Site Scripting (XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"shortName\": \"WPScan\", \"dateUpdated\": \"2023-01-10T09:11:07.085Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-4227\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-14T14:08:53.277Z\", \"dateReserved\": \"2022-11-30T09:44:56.666Z\", \"assignerOrgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"datePublished\": \"2022-12-26T12:28:11.362Z\", \"assignerShortName\": \"WPScan\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…