CVE-2022-1914

CVE-2022-1914: Clean-Contact <= 1.6 - Arbitrary Settings Update to Stored XSS via CSRF

Vendor Unknown

Product Clean-Contact

Weakness CWE-352 · CSRF

Published June 27, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Clean-Contact WordPress plugin through 1.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well

Key dates

02Disclosure timeline

June 27, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1914 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

04Related CVE

CVE-2022-47447 WordPress WP-Advanced-Search Plugin <= 3.3.8 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-49555 Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352) CVE-2024-34806 WordPress Clearfy Cache plugin <= 2.2.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-13749 Clearfy <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering CVE-2024-56140 Bypass of CSRF Middleware in Astro