Sep 12, 2022 | web | research

CVE-2022-2655

GeoZIN

Hacker

Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting

Description

After creating an Ad, using Classified Listing Pro puglin, the Ad menu, categories, and subcategorieds become vulnerable to Reflected Cross-Site Scripting (XSS).

Proof of Concept (POC)

To reproduce the failure, it is necessary creating at least one category and one Ad

With that so, we can explore the vulnerability:

Atacker

Affected Versions

Classified Listing Pro < 2.0.20

References

CVE-2022-2655

WPScan

GitHub Geozin

Ithemes

Cross-Site Scripting (XSS)

Classification

Type: Cross-Site Scripting

OWASP TOP 10: A03:2021-Injection

CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Researchers/Hackers

Geovanni Campos (GeoZIN), Islan Ferreira (LnZ)., Thiago Martins (Kirito), Jorge Buzeti (R3tr0), Leandro Inacio (Saitama), Lucas de Souza (Sinnat), Matheus Oliveira (Froyd), Filipe Baptistella (Baptistella), Leonardo Paiva (Megatron), Jose Thomaz (Pip3r), Joao Maciel (Yohan), Vinicius Pereira (Vini), Hudson Nowak (Nowak) and Guilherme Acerbi (Ghost).

Support us

Hacking Force is a community focused on spreading knowledge about technology and cyber security, offering a way for people to rise. We are grateful for being supported by people with the same point of view. If you indentify with it, then consider joining us.

contact@hackingforce.com.br

Principal Sponsors

nowcy

Blog Hacking Force © 2024