Plateforme
wordpress
Composant
accordions-or-faqs
Corrigé dans
2.0.4
CVE-2022-45082 describes multiple stored Cross-Site Scripting (XSS) vulnerabilities within the Accordions plugin for WordPress. These vulnerabilities allow authenticated administrators to inject malicious scripts that could be executed in the context of other users' browsers. The vulnerability affects versions of the plugin up to and including 2.0.3. A patch has been released to address this issue.
Successful exploitation of CVE-2022-45082 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the WordPress site, redirection to phishing pages, and theft of sensitive user data. The stored nature of the XSS means that the injected script persists on the server, potentially affecting multiple users who visit the affected pages. While requiring admin authentication, this vulnerability represents a significant risk to WordPress sites with privileged user accounts.
CVE-2022-45082 was publicly disclosed on November 18, 2022. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 3.4 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation. It is not listed on the CISA KEV catalog at the time of this writing.
WordPress sites utilizing the Accordions plugin, particularly those with multiple administrator accounts or shared hosting environments, are at risk. Sites with legacy configurations or weak password policies for administrator accounts are especially vulnerable.
• wordpress / composer / npm:
grep -r 'addons-style-name' /var/www/html/wp-content/plugins/accordions/• wordpress / composer / npm:
grep -r 'accordions_or_faqs_license_key' /var/www/html/wp-content/plugins/accordions/• wordpress / composer / npm:
wp plugin list --status=active | grep accordionsdisclosure
Statut de l'Exploit
EPSS
0.21% (percentile 43%)
Vecteur CVSS
The primary mitigation for CVE-2022-45082 is to upgrade the Accordions plugin to a version newer than 2.0.3. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the addons-style-name and accordionsorfaqslicensekey parameters to prevent malicious script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Regularly review WordPress plugin configurations and user permissions to minimize the attack surface.
Actualice el plugin Accordions – Multiple Accordions or FAQs Builder a la última versión disponible. La versión 2.0.4 o superior corrige esta vulnerabilidad de Cross-Site Scripting (XSS).
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2022-45082 is a stored Cross-Site Scripting (XSS) vulnerability in the Accordions plugin for WordPress, affecting versions up to 2.0.3. It allows authenticated admins to inject malicious scripts.
You are affected if you are using the Accordions plugin version 2.0.3 or earlier. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade the Accordions plugin to a version greater than 2.0.3. This resolves the XSS vulnerability and prevents malicious script injection.
As of now, there are no known public exploits or active campaigns targeting CVE-2022-45082, but prompt remediation is still recommended.
Refer to the plugin developer's website or the WordPress plugin repository for the latest information and updates regarding CVE-2022-45082.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.