CVE-2022-4897
Published: 21 February 2023
Summary
CVE-2022-4897 is a medium-severity an unspecified weakness vulnerability in Ithemes Backupbuddy. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The BackupBuddy WordPress plugin before version 8.8.3 contains a reflected cross-site scripting vulnerability. The flaw stems from insufficient sanitization and escaping of certain parameters that are later reflected in plugin output, allowing attacker-controlled content to execute in a victim's browser. It carries a CVSS 3.1 score of 6.1 with an attack vector of network, low complexity, no privileges required, and required user interaction.
An unauthenticated remote attacker can exploit the issue by crafting a malicious link or request that is clicked by an authenticated user with access to the plugin's administrative pages. Successful exploitation can result in the attacker executing arbitrary scripts in the context of the victim's session, potentially leading to theft of cookies, session hijacking, or other actions within the WordPress site.
The referenced WPScan advisory identifies the affected versions and confirms the vulnerability is resolved by updating to BackupBuddy 8.8.3 or later, which implements proper input sanitization and output encoding for the affected parameters.
The EPSS score for this CVE stands at 0.2168 with no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52154
Vulnerability details
The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.