The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/612f9273-acc8-4be6-b372-33f1e687f54a | Exploit Third Party Advisory |
Configurations
Information
Published : 2022-03-28 11:15
Updated : 2022-04-04 10:29
NVD link : CVE-2022-0450
Mitre link : CVE-2022-0450
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
freshlightlab
- menu_image\,_icons_made_easy