CVE-2022-0200 — Cross-site Scripting in Portfolio Post

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 56.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themify Portfolio Post

Timeline

PublishedFeb 14

Latest updateFeb 15

Description

Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDthemify/portfolio_post< 1.1.7

🔴Vulnerability Details

GHSA

GHSA-hgw8-98j5-vg4c: Themify Portfolio Post WordPress plugin before 1↗2022-02-15

▶

CVEList

Themify Portfolio Post < 1.1.7 - Reflected Cross-Site Scripting↗2022-02-14

▶