CVE-2022-0220
MEDIUM NUCLEIWordPress GDPR & CCPA < 1.9.26 - Unauthenticated Stored Cross-Site Scripting via check_privacy_settings AJAX Action
Title source: llmExploitation Summary
CVE-2022-0220 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)
Nuclei Templates (1)
WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting
MEDIUMby daffainfo
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059
Scores
CVSS v3
6.1
EPSS
0.0231
EPSS Percentile
81.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-116
Status
published
Products (1)
welaunch/wordpress_gdpr\&ccpa
< 1.9.26
Published
Feb 01, 2022
Tracked Since
Feb 18, 2026