CVE-2022-28290: Reflected XSS in WordPress Country Selector

Reflected Cross-Site Scripting in Welaunch

Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP request.

CVE IDCVE-2022-28290

CVSS v3.16.1 Medium

VendorWelaunch

CWECWE-79

DisclosedMar 25, 2022

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Reflected Cross-Site Scripting attacks are also known as non-persistent attacks which occur when a malicious script is reflected back from a web application to the victim’s browser. The script is activated through a link, which sends a request to the website with a vulnerability that enables the execution of malicious scripts.

Vendor: Welaunch
Affected Product: WordPress Country Selector
CVE: CVE-2022-28290
Securin ID: 2022-CSW-03-1055
Status: Fixed
Date: March 25, 2022
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01Figure 01: Original AJAX Request.02Figure 02: Injected XSS Payloads in “country” and “lang” Parameter03Figure 03: Injected JavaScript Code for “lang” and “country” Parameters is Executed On The User’s Browser04Figure 04: The Default Cross-Site Scripting Mitigation Setting in wp.config file to Prevent XSS Attacks

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Medium

Modify the code and get the session information of other users.

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2022-28290, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

March 24, 2022

Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product

March 25, 2022

Reported to Welaunch

March 29, 2022

Acknowledged by Welaunch

March 30, 2022

Vendor Released Patch for XSS Vulnerability

March 31, 2022

CSW Assigned the CVE-2022-28290

Disclosed 6 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2022-28290

nvd.nist.gov/vuln/detail/CVE-2022-28290 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in Welaunch

CVE IDCVE-2022-28290

CVSS v3.16.1 Medium

VendorWelaunch

CWECWE-79

DisclosedMar 25, 2022

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Welaunch
Affected Product: WordPress Country Selector
CVE: CVE-2022-28290
Securin ID: 2022-CSW-03-1055
Status: Fixed
Date: March 25, 2022
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Medium

Modify the code and get the session information of other users.

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2022-28290, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

March 24, 2022

Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product

March 25, 2022

Reported to Welaunch

March 29, 2022

Acknowledged by Welaunch

March 30, 2022

Vendor Released Patch for XSS Vulnerability

March 31, 2022

CSW Assigned the CVE-2022-28290

Disclosed 6 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2022-28290

nvd.nist.gov/vuln/detail/CVE-2022-28290 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in Welaunch

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Modify the code and get the session information of other users.

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product

Reported to Welaunch

Acknowledged by Welaunch

Vendor Released Patch for XSS Vulnerability

CSW Assigned the CVE-2022-28290

Cite, verify, go deeper.

NVD — CVE-2022-28290

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in Welaunch

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Modify the code and get the session information of other users.

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product

Reported to Welaunch

Acknowledged by Welaunch

Vendor Released Patch for XSS Vulnerability

CSW Assigned the CVE-2022-28290

Cite, verify, go deeper.

NVD — CVE-2022-28290

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.