PT-2022-17101 · WordPress · Simple Banner
Muhammad Zeeshan
+1
·
Published
2022-09-06
·
Updated
2023-10-24
·
CVE-2022-2515
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Simple Banner plugin for WordPress versions up to and including 2.11.0
Description
The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers to inject arbitrary web scripts via the
pro version activation code parameter. This enables the execution of scripts whenever a user with access to the Simple Banner plugin's settings views the page.Recommendations
For Simple Banner plugin for WordPress versions up to and including 2.11.0, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation. Avoid using the
pro version activation code parameter in the affected plugin until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simple Banner