Cyber Resilience

CVE-2022-2600

MediumPublic PoC

Published: 22 August 2022

Published
22 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.0020 41.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2600 is a medium-severity Use of Web Link to Untrusted Target with window.opener Access (CWE-1022) vulnerability in Auto-Hyperlink Urls Project Auto-Hyperlink Urls. Its CVSS base score is 5.4 (Medium).

Operationally, ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

The Auto-hyperlink URLs WordPress plugin through 5.4.1 does not set rel="noopener noreferer" on generated links, which can lead to Tab Nabbing by giving the target site access to the source tab through the window.opener DOM object.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

auto-hyperlink urls project
auto-hyperlink urls
≤ 5.4.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References