Vulnerability Name:

CVE-2022-0448 (CCN-219245)

Assigned:2022-02-02
Published:2022-02-02
Updated:2022-03-11
Summary:The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
CVSS v3 Severity:4.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
7.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
7.0 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2022-0448

Source: XF
Type: UNKNOWN
wp-cpblocks-cve20220448-xss(219245)

Source: CCN
Type: Packet Storm Security [02-08-2022]
WordPress CP Blocks 1.0.14 Cross Site Scripting

Source: CCN
Type: WordPress Plugin Directory
CP Blocks - WordPress

Source: MISC
Type: Exploit, Third Party Advisory
https://wpscan.com/vulnerability/d4ff63ee-28e6-486e-9aa7-c878b97f707c

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-08-2022]

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dwbooster:cp_blocks:*:*:*:*:*:wordpress:*:* (Version < 1.0.15)

    • Configuration CCN 1:
  • cpe:/a:wordpress:wordpress:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    dwbooster cp blocks *
    wordpress wordpress -