WP Voting Contest < 3.0 - Reflected Cross-Site Scripting
CVE-2022-0321

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Voting Contest
Vendor: CVE Published:; 14 March 2022

Summary

The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the post_id parameter before outputting it back in the response via the wpvc_social_share_icons AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue

Affected Version(s)

WP Voting Contest 3.0

References

https://wpscan.com/vulnerability/286b81a0-6f6d-4024-9bbc-...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 14, 2022
Vulnerability Reserved
Jan 20, 2022

Credit

Brandon James Roldan