First published: Mon Aug 01 2022(Updated: )
The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Crowdfavorite Progressive License | <=1.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-2171 is a vulnerability in the Progressive License WordPress plugin through 1.1.0 that lacks CSRF check when saving settings, allowing attackers to change them.
CVE-2022-2171 has a severity score of 5.4 (medium).
The Progressive License WordPress plugin up to version 1.1.0 is affected by CVE-2022-2171.
An attacker can exploit CVE-2022-2171 by making a logged-in admin change the plugin's settings. Additionally, the plugin allows arbitrary HTML to be inserted, potentially leading to a stored XSS issue.
As of now, there is no known fix for CVE-2022-2171. It is recommended to disable or uninstall the Progressive License WordPress plugin.