Vulnerability Details : CVE-2022-2600
The Auto-hyperlink URLs WordPress plugin through 5.4.1 does not set rel="noopener noreferer" on generated links, which can lead to Tab Nabbing by giving the target site access to the source tab through the window.opener DOM object.
Products affected by CVE-2022-2600
- Auto-hyperlink Urls Project » Auto-hyperlink Urls » For WordpressVersions up to, including, (<=) 5.4.1cpe:2.3:a:auto-hyperlink_urls_project:auto-hyperlink_urls:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-2600
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-2600
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST |
CWE ids for CVE-2022-2600
-
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Assigned by: contact@wpscan.com (Secondary)
References for CVE-2022-2600
-
https://wpscan.com/vulnerability/01bbdefd-bdc3-43ef-9f35-6e7ebe786be2
Exploit;Third Party Advisory
Jump to