CVE-2022-0346
Published: 23 May 2022
Summary
CVE-2022-0346 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Xmlsitemapgenerator Xml Sitemap Generator. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The XML Sitemap Generator for Google WordPress plugin before version 2.0.4 is affected by an input validation flaw tracked as CVE-2022-0346. The plugin fails to sanitize a configurable parameter, allowing it to be set to an arbitrary value that triggers reflected cross-site scripting through error messages; remote code execution becomes possible on installations where the PHP allow_url_include directive is enabled. The issue is classified under CWE-79 and carries a CVSS 3.1 score of 6.1.
An unauthenticated remote attacker can exploit the flaw by supplying a malicious parameter value in a request that reaches the vulnerable code path. Successful exploitation results in execution of attacker-controlled script in the context of a victim user’s browser or, when allow_url_include is active, arbitrary code execution on the server. User interaction is required for the reflected XSS vector.
Public references hosted by WPScan document the vulnerability and indicate that updating the plugin to version 2.0.4 or later removes the unsafe parameter handling. The EPSS score reached a recorded peak of 0.0639 before receding to its current value of 0.0305.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15506
Vulnerability details
The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.