Vulnerability Description
The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adtribes | Product Feed Pro For Woocommerce | < 11.2.3 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2670405PatchThird Party Advisory
- https://wpscan.com/vulnerability/de69bcd1-b0b1-4b16-9655-776ee57ad90aExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2670405PatchThird Party Advisory
- https://wpscan.com/vulnerability/de69bcd1-b0b1-4b16-9655-776ee57ad90aExploitThird Party Advisory
FAQ
What is CVE-2022-0426?
CVE-2022-0426 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (ava...
How severe is CVE-2022-0426?
CVE-2022-0426 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-0426?
Check the references section above for vendor advisories and patch information. Affected products include: Adtribes Product Feed Pro For Woocommerce.