CVE-2022-4301
Published: 09 January 2023
Summary
CVE-2022-4301 is a medium-severity an unspecified weakness vulnerability in Sunshinephotocart Sunshine Photo Cart. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Sunshine Photo Cart WordPress plugin before version 2.9.15 contains a reflected cross-site scripting vulnerability. The flaw stems from insufficient sanitization and escaping of an unspecified parameter that is later reflected back into page output, allowing script injection. The issue carries a CVSS 3.1 base score of 6.1 with network attack vector, low complexity, no required privileges, and required user interaction.
An unauthenticated remote attacker can supply a crafted link or request that, when clicked by a victim, executes arbitrary JavaScript in the context of the affected site. Successful exploitation yields limited confidentiality and integrity impacts with changed scope, but no availability effect.
The vulnerability is documented in the WPScan advisory at the referenced URL, which identifies the affected plugin versions and the reflected XSS vector.
EPSS for the CVE rose from a low baseline to a peak of 0.1459 before receding to the current value of 0.0386, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51657
Vulnerability details
The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.