CVE-2022-2654

EUVD-2022-34900
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
radiusthemeclassified_listing
𝑥
< 2.0.20
radiusthemeclassified_listing
𝑥
< 2.2.14
radiusthemeclassified_listing_store_\&_membership
𝑥
< 1.4.20
radiusthemeclassima
𝑥
< 2.1.11
radiusthemeclassima_core
𝑥
< 1.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993
https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993