Vulnerabilites related to Unknown - GiveWP – Donation Plugin and Fundraising Platform
cve-2021-24524
Vulnerability from cvelistv5
Published
2021-08-23 11:09
Modified
2024-08-03 19:35
Severity ?
EPSS score ?
Summary
The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | GiveWP – Donation Plugin and Fundraising Platform |
Version: 2.12.0 < 2.12.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.12.0",
"status": "affected",
"version": "2.12.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Asif Nawaz Minhas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-23T11:09:59",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GiveWP \u003c 2.12.0 - Authenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24524",
"STATE": "PUBLIC",
"TITLE": "GiveWP \u003c 2.12.0 - Authenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.12.0",
"version_value": "2.12.0"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Asif Nawaz Minhas"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24524",
"datePublished": "2021-08-23T11:09:59",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2215
Vulnerability from cvelistv5
Published
2022-08-01 12:50
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | GiveWP – Donation Plugin and Fundraising Platform |
Version: 2.21.3 < 2.21.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.21.3",
"status": "affected",
"version": "2.21.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Raad Haddad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T12:50:18",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "GiveWP \u003c 2.21.3 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2215",
"STATE": "PUBLIC",
"TITLE": "GiveWP \u003c 2.21.3 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.21.3",
"version_value": "2.21.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Raad Haddad"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2215",
"datePublished": "2022-08-01T12:50:18",
"dateReserved": "2022-06-27T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-25099
Vulnerability from cvelistv5
Published
2022-02-21 10:45
Modified
2024-08-03 19:56
Severity ?
EPSS score ?
Summary
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2659032 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | GiveWP – Donation Plugin and Fundraising Platform |
Version: 2.17.3 < 2.17.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:56:10.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.17.3",
"status": "affected",
"version": "2.17.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JrXnm"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-21T10:45:53",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Give \u003c 2.17.3 - Unauthenticated Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-25099",
"STATE": "PUBLIC",
"TITLE": "Give \u003c 2.17.3 - Unauthenticated Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.17.3",
"version_value": "2.17.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JrXnm"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2659032",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-25099",
"datePublished": "2022-02-21T10:45:53",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:56:10.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-25100
Vulnerability from cvelistv5
Published
2022-02-21 10:45
Modified
2024-08-03 19:56
Severity ?
EPSS score ?
Summary
The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2659032 | x_refsource_CONFIRM | |
| https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | GiveWP – Donation Plugin and Fundraising Platform |
Version: 2.17.3 < 2.17.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:56:09.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.17.3",
"status": "affected",
"version": "2.17.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JrXnm"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-21T10:45:54",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-25100",
"STATE": "PUBLIC",
"TITLE": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.17.3",
"version_value": "2.17.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JrXnm"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2659032",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
},
{
"name": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-25100",
"datePublished": "2022-02-21T10:45:54",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:56:09.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2260
Vulnerability from cvelistv5
Published
2022-08-01 12:50
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | GiveWP – Donation Plugin and Fundraising Platform |
Version: 2.21.3 < 2.21.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.21.3",
"status": "affected",
"version": "2.21.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Raad Haddad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target\u0027s CPU."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T12:50:58",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "GiveWP \u003c 2.21.3 - DoS via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2260",
"STATE": "PUBLIC",
"TITLE": "GiveWP \u003c 2.21.3 - DoS via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.21.3",
"version_value": "2.21.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Raad Haddad"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target\u0027s CPU."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2260",
"datePublished": "2022-08-01T12:50:58",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0252
Vulnerability from cvelistv5
Published
2022-02-21 10:46
Modified
2024-08-02 23:25
Severity ?
EPSS score ?
Summary
The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2659032 | x_refsource_CONFIRM | |
| https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | GiveWP – Donation Plugin and Fundraising Platform |
Version: 2.17.3 < 2.17.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:38.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.17.3",
"status": "affected",
"version": "2.17.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JrXnm"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-21T10:46:09",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Import Tool",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0252",
"STATE": "PUBLIC",
"TITLE": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Import Tool"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.17.3",
"version_value": "2.17.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JrXnm"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2659032",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2659032"
},
{
"name": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0252",
"datePublished": "2022-02-21T10:46:09",
"dateReserved": "2022-01-17T00:00:00",
"dateUpdated": "2024-08-02T23:25:38.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}