CVE-2022-0422

MEDIUM NUCLEI

White Label CMS < 2.2.9 - Reflected Cross-Site Scripting via wlcms[_login_custom_js] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-0422 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue

Nuclei Templates (1)

WordPress White Label CMS <2.2.9 - Cross-Site Scripting
MEDIUMby random-robbie

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2672615

Scores

CVSS v3 6.1
EPSS 0.0812
EPSS Percentile 94.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
videousermanuals/white_label_cms < 2.2.9
Published Mar 07, 2022
Tracked Since Feb 18, 2026