CVE-2022-0150
published 2022-02-28CVE-2022-0150: The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode…
PriorityP434medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.72%
74.6th percentile
The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp_accessibility_helper_project | wp_accessibility_helper | < 0.6.0.7 | 0.6.0.7 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-0150 [MEDIUM] WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting
WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting
WordPress Accessibility Helper plugin before 0.6.0.7 contains a cross-site scripting vulnerability. It does not sanitize and escape the wahi parameter before outputting back its base64 decode value in the page.
Template:
id: CVE-2022-0150
info:
name: WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting
author: dhiyaneshDK
severity: medium
description: |
WordPress Accessibility Helper plugin before 0.6.0.7 contains a cross-site scripting vulnerability. It does not sanitize and escape the wahi parameter before outputting back its base64 decode value in the page.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access, data theft, or defacement of the affected WordPress website.
reme
No writeups or analysis indexed.
2022-02-28
Published