CVE-2022-1772

The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:google_places_reviews_project:google_places_reviews:*:*:*:*:*:wordpress:*:*

History

21 Jun 2022, 17:39

Type Values Removed Values Added
First Time Google Places Reviews Project google Places Reviews
Google Places Reviews Project
References (MISC) https://wpscan.com/vulnerability/02addade-d191-4e45-b7b5-2f3f673679ab - (MISC) https://wpscan.com/vulnerability/02addade-d191-4e45-b7b5-2f3f673679ab - Exploit, Third Party Advisory
CPE cpe:2.3:a:google_places_reviews_project:google_places_reviews:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 2.1
v3 : 4.8

13 Jun 2022, 13:26

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-13 13:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-1772

Mitre link : CVE-2022-1772

CVE.ORG link : CVE-2022-1772


JSON object : View

Products Affected

google_places_reviews_project

  • google_places_reviews
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')