cbcvebase.
CVE-2022-0346
published 2022-05-23

CVE-2022-0346: The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.21%
80.3th percentile
The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.

Affected

1 ranges
VendorProductVersion rangeFixed in
xmlsitemapgeneratorxml_sitemap_generator< 2.0.42.0.4

Detection & IOCsextracted from sources · hover to see the quote

hash2ef3baa95802a4b646f2fc29075efe34
other490a0046304402200124575cef49b079fcb7e2f6d0ad8fef4845ebe85dbc678b1fe131b422d61ea1022055c204c75c31b714f3a2b8f0f4f816dac254641997294050c7539fd7df0bd587:922c64590222798bb761d5b6d8e72950
  • Probe for XSS/RCE by detecting the error message 'Invalid Provider type specified' in the HTTP response body, which indicates an unsanitized parameter was reflected.
  • Detection rule uses a two-step match: first check for 'Invalid Provider type specified' in the response body, then confirm with the MD5 hash string '2ef3baa95802a4b646f2fc29075efe34' in a second body check — both conditions must be true.
  • ·RCE is only exploitable when the PHP 'allow_url_include' directive is enabled on the target server; without it, impact is limited to XSS.
  • ·The vulnerability affects XML Sitemap Generator for Google WordPress plugin versions before 2.0.4; versions at or above 2.0.4 are patched.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.