CVE-2022-1910
published 2022-07-11CVE-2022-1910: The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response…
PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.21%
64.4th percentile
The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| averta | shortcodes_and_extra_features_for_phlox_theme | < 2.9.8 | 2.9.8 |
| msrc | microsoft_endpoint_configuration_manager | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g9x6-vw35-42fq: The Shortcodes and extra features for Phlox WordPress plugin before 2
ghsa_unreviewed·2022-07-12
CVE-2022-1910 [MEDIUM] CWE-79 GHSA-g9x6-vw35-42fq: The Shortcodes and extra features for Phlox WordPress plugin before 2
The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
Microsoft
Microsoft Endpoint Configuration Manager Elevation of Privilege Vulnerability
vendor_msrc·2022-04-12·CVSS 7.8
CVE-2022-24527 [HIGH] Microsoft Endpoint Configuration Manager Elevation of Privilege Vulnerability
Microsoft Endpoint Configuration Manager Elevation of Privilege Vulnerability
FAQ: How do I get the update?
Customers have two options for the update that addresses this vulnerability:
Upgrade to Configuration Manager current branch, version 2203 (Build 5.00.9078) which is available as an in-console update. See Checklist for installing update 2203 for Configuration Manager for more information.
Apply the hotfix. Customers running Microsoft Endpoint Configuration Manager, versions 1910 through versions 2111 who are not able to install Configuration Manager Update 2203 (Build 5.00.9078) can download and install hotfix KB12819689. See Connected cache update for Microsoft Endpoint Configuration Manager version 2111 for prerequisites, download link, and installation instructions.
FAQ: What
No detection rules found.
Nuclei
WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-1910 [MEDIUM] WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting
WordPress Shortcodes and Extra Features for Phlox alert(document.domain)'
- 'aux-widget'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502200a5c1975a71cb0b25e128996c005a9a6ca5153d8749f7e2a1e2a3366f3cc1d13022100a3466e60c425764af72d3f9eb6b317dc983dc7b29f71d6240d585c8a16ca7a45:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-07-11
Published