CVE-2022-36433

Vulnerability

The Amasty Blog Pro plugin for Magento 2, versions prior to 2.10.5, contains a stored cross-site scripting (XSS) vulnerability in the blog-post creation functionality. The short_content and full_content fields are not properly sanitized, allowing injection of arbitrary JavaScript code. The vulnerability is triggered when an admin user previews or saves a blog post via the endpoints POST /admin/amasty_blog/posts/preview/key/{key}/?isAjax=true and POST /admin/amasty_blog/posts/save/key/{key}/back/edit. [2]

Exploitation

An attacker with access to create or edit blog posts (typically an admin or editor role) can inject malicious JavaScript into the short_content or full_content fields. When another admin user (or the same user) previews or saves the post, the injected script executes in the context of the admin panel. No additional user interaction beyond the preview/save action is required. The attacker does not need to be authenticated as the target; any admin viewing the post is affected.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the admin panel session of the victim. This can lead to session hijacking, theft of admin credentials, defacement, or further compromise of the Magento instance. The attack is stored, meaning the malicious payload persists until removed.

Mitigation

The vulnerability is fixed in Amasty Blog Pro version 2.10.5. Users should update to this version or later. No workarounds are documented; the only mitigation is to apply the patch. [2]