CVE-2022-2629

Top Bar < 3.0.4 - Admin+ Stored Cross-Site Scripting

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (3)

NVD, NVD, Wordfence

CWE (1)

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC (-)

Risk

CVSS Score

4.8 Medium

SSVC

KEV

EPSS

0.1%

Affected Products (-)

Vendors (1)

wpdarko

Products (1)

top_bar

Versions (1)

< 3.0.4

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (1)

General (-)

Exploits & POcs (1)

wpscan

Patches (-)

Advisories (-)

Summary

Descriptions

The Top Bar WordPress plugin before 3.0.4 does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

El plugin Top Bar de WordPress versiones anteriores a 3.0.4, no sanea y escapa de algunas de sus configuraciones antes de mostrarlas en las páginas del frontend, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio)

The Top Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the tpbr_message,tpbr_btn_text,tpbr_btn_url, and tpbr_color parameters. This allows authenticated users with administrator-level permissions to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

*Credits: Asif Nawaz Minhas

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Multiple

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-08-02 CVE Reserved
2022-09-08 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (1)

URL	Tag	Source

URL	Date	SRC
https://wpscan.com/vulnerability/25a0d41f-3b6f-4d18-b4d5-767ac60ee8a8	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wpdarko Search vendor "Wpdarko"		Top Bar Search vendor "Wpdarko" for product "Top Bar"				< 3.0.4 Search vendor "Wpdarko" for product "Top Bar" and version " < 3.0.4"		wordpress		Affected

CVE-2022-2629

Top Bar < 3.0.4 - Admin+ Stored Cross-Site Scripting

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (1)

Affected Vendors, Products, and Versions