CVE-2022-2753
Published: 19 September 2022
Summary
CVE-2022-2753 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Ketchup Restaurant Reservations WordPress plugin through version 1.0.0 contains a cross-site scripting vulnerability (CWE-79) because it fails to sanitize or escape certain reservation fields submitted by users. The affected component is the plugin's reservation handling logic, which stores and later displays these inputs to administrators without proper output encoding.
An unauthenticated attacker can submit a reservation containing malicious JavaScript payloads. When an administrator views the reservation in the WordPress dashboard, the script executes in the admin's browser context, enabling actions such as session hijacking or unauthorized configuration changes under the reflected privileges.
The EPSS score for this issue has remained flat at 0.1553 with no material increase after disclosure. The referenced WPScan advisory provides the primary public details on the flaw but does not include additional exploitation or mitigation data beyond the initial report.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34995
Vulnerability details
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.