{"containers": {"cna": {"affected": [{"product": "Progressive License", "vendor": "Unknown", "versions": [{"lessThanOrEqual": "1.1.0", "status": "affected", "version": "1.1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Daniel Ruf"}], "descriptions": [{"lang": "en", "value": "The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-01T12:49:33.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede"}], "source": {"discovery": "EXTERNAL"}, "title": "Progressive License <= 1.1.0 - CSRF to Stored XSS", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-2171", "STATE": "PUBLIC", "TITLE": "Progressive License <= 1.1.0 - CSRF to Stored XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Progressive License", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.1.0", "version_value": "1.1.0"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Daniel Ruf"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:07.973Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-2171", "datePublished": "2022-08-01T12:49:33.000Z", "dateReserved": "2022-06-22T00:00:00.000Z", "dateUpdated": "2024-08-03T00:32:07.973Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:crowdfavorite:progressive_license:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A7286275-18BF-40B4-959F-2243ADFCB56B", "versionEndIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well."}, {"lang": "es", "value": "El plugin Progressive License de WordPress versiones hasta 1.1.0 carece de cualquier comprobaci\u00f3n de tipo CSRF cuando guarda sus ajustes, lo que podr\u00eda permitir a atacantes hacer que un administrador conectado los cambie. Adem\u00e1s, como el plugin permite insertar HTML arbitrario en una de las configuraciones, esto podr\u00eda conllevar a un problema de tipo XSS almacenado que ser\u00eda desencadenado tambi\u00e9n en el frontend"}], "id": "CVE-2022-2171", "lastModified": "2024-11-21T07:00:28.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-01T13:15:10.513", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/11937296-7ecf-4b94-b274-06f7990dbede"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "contact@wpscan.com", "type": "Secondary"}]}

{}

{}