CVE-2022-1597

MEDIUM NUCLEI

WPQA Builder < 5.4 - Reflected Cross-Site Scripting via Reset Password Form Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-1597. PoCs published by V35HR4J. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2022-1597, a reflected XSS vulnerability in the WPQA plugin and associated themes (DISCY and HIMER). The exploit leverages unsanitized input in the password reset form to inject malicious JavaScript.

Description

The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks

Exploits (1)

nomisec WORKING POC 4 stars
by V35HR4J · poc
https://github.com/V35HR4J/CVE-2022-1597

This repository contains a proof-of-concept for CVE-2022-1597, a reflected XSS vulnerability in the WPQA plugin and associated themes (DISCY and HIMER). The exploit leverages unsanitized input in the password reset form to inject malicious JavaScript.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WPQA Builder Forms Addon for WordPress < 5.4, DISCY theme, HIMER theme
No auth needed
Prerequisites: Access to the target WordPress site with the vulnerable plugin/theme installed
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress WPQA <5.4 - Cross-Site Scripting
MEDIUMVERIFIEDby veshraj

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e

Scores

CVSS v3 6.1
EPSS 0.0291
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
2code/wpqa_builder < 5.4
Published Jun 08, 2022
Tracked Since Feb 18, 2026