CVE-2022-3893 BlueSpice Custom Menu extension can be exploited via XSS attack by an admin user.

CVE-2022-3893 BlueSpice Custom Menu extension can be exploited via XSS attack by an admin user.

XSS can be exploited to execute arbitrary script code in user session or obtain confidential information (CSRF). BlueSpice is currently the only confirmed XSS vulnerability in the WordPress community. It is recommended for plugin and theme developers to apply fixes as soon as possible. XSS can be exploited to execute arbitrary script code in user session or obtain confidential information (CSRF). BlueSpice is currently the only confirmed XSS vulnerability in the WordPress community. It is recommended for plugin and theme developers to apply fixes as soon as possible. You can read more details about XSS at https://www.WordPress.org/XSS

Impacted Plugins:

BlueSpiceMenu, BlueSpiceCustomMenu

Impacted Themes:
XBSPress, XBSPress Theme, XBSPress Theme Pro, XBSPress Theme Pro v1, XBSPress Theme Pro v2

Cross-site Request Forgery (CSRF) vulnerability in BlueSpice allows user with admin permissions to hijack another user's session. This may lead to access to unauthorized data or system modification.
With the help of CSRF, an attacker can change the status of any resource on the website to complete access.

Definition of Cross-site Request Forgery (CSRF)

The Cross-site Request Forgery (CSRF) vulnerability allows an attacker to hijack another user's session. This may lead to access to unauthorized data or system modification.

Vulnerability Details

BlueSpice is the only confirmed XSS vulnerability in the WordPress community. It is currently recommended for plugin and theme developers to apply fixes as soon as possible.

Summary of Cross-site Request Forgery (CSRF) vulnerability

There is currently a CSRF vulnerability in the WordPress community on BlueSpice. It is recommended for plugin and theme developers to apply fixes as soon as possible. You can read more details about XSS at https://www.WordPress.org/XSS

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe