First published: Mon Jul 25 2022(Updated: )
The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Name Directory Project Name Directory | <1.25.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Name Directory WordPress plugin vulnerability is CVE-2022-2071.
The severity of CVE-2022-2071 is medium with a CVSS score of 6.1.
The affected software is the Name Directory WordPress plugin version up to 1.25.4.
This vulnerability allows attackers to import arbitrary names with XSS payloads in them, potentially leading to cross-site scripting attacks.
Yes, updating the Name Directory WordPress plugin to version 1.25.4 or higher will fix this vulnerability.