CVE-2022-1051 — Cross-site Scripting in Wpqa Builder

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

10.3%

top 6.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

2code Wpqa Builder

Timeline

PublishedMay 16

Latest updateMay 17

Description

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVD2code/wpqa_builder< 5.2

🔴Vulnerability Details

GHSA

GHSA-p462-hx7j-6485: The WPQA Builder Plugin WordPress plugin before 5↗2022-05-17

▶

CVEList

WPQA < 5.2 - Subscriber+ Stored Cross-Site Scripting via Profile fields↗2022-05-16

▶