CVE-2022-2171: CSRF
First published: Mon Aug 01 2022(Updated: )
The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Crowdfavorite Progressive License | <=1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-2171?
CVE-2022-2171 is a vulnerability in the Progressive License WordPress plugin through 1.1.0 that lacks CSRF check when saving settings, allowing attackers to change them.
How severe is CVE-2022-2171?
CVE-2022-2171 has a severity score of 5.4 (medium).
What software versions are affected by CVE-2022-2171?
The Progressive License WordPress plugin up to version 1.1.0 is affected by CVE-2022-2171.
How can an attacker exploit CVE-2022-2171?
An attacker can exploit CVE-2022-2171 by making a logged-in admin change the plugin's settings. Additionally, the plugin allows arbitrary HTML to be inserted, potentially leading to a stored XSS issue.
Is there a fix for CVE-2022-2171?
As of now, there is no known fix for CVE-2022-2171. It is recommended to disable or uninstall the Progressive License WordPress plugin.
- collector/nvd-index
- vendor/crowdfavorite
- canonical/crowdfavorite progressive license
- version/crowdfavorite progressive license/1.1.0