admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-05-06 02:31:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2022/CVE-2022-3149.md

19 lines
1.0 KiB
Markdown
Raw Normal View History

Update Sat May 25 21:48:12 CEST 2024
2024-05-25 21:48:12 +02:00
### [CVE-2022-3149](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3149)
![](https://img.shields.io/static/v1?label=Product&message=WP%20Custom%20Cursors&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.0.1%3C%203.0.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-352%20Cross-Site%20Request%20Forgery%20(CSRF)&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Cross-Site%20Scripting%20(XSS)&color=brighgreen)
### Description
The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting
### POC
#### Reference
- https://wpscan.com/vulnerability/4c13a93d-2100-4721-8937-a1205378655f
#### Github
No PoCs found on GitHub currently.
Reference in New Issue Copy Permalink