CVE-2022-2541

Name of the Vulnerable Software and Affected Versions uContext for Amazon plugin for WordPress versions up to, and including 3.9.1

Description The issue is related to Cross-Site Request Forgery to Cross-Site Scripting due to missing nonce validation in the ~/app/sites/ajax/actions/keyword save.php file, which is called via the doAjax() function. This allows unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions up to, and including 3.9.1, update to a version that includes nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the ~/app/sites/ajax/actions/keyword save.php file to minimize the risk of exploitation. Additionally, restrict the use of the doAjax() function until a patch is available.