.. / CVE-2022-4260

Exploit for WordPress WP-Ban <1.69.1 - Stored Cross-Site Scripting (CVE-2022-4260)

Description:

WordPress WP-Ban plugin before 1.69.1 contains a stored cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, which can allow high-privilege users to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be exploited even when the unfiltered_html capability is disallowed, for example in multisite setup.

Nuclei Template

View the template here CVE-2022-4260.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2022/CVE-2022-4260.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2022-4260
https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db
https://github.com/ARPSyndicate/kenzer-templates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260
https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk