CVE-2022-1628

2022-09-0618:15:10

CWE-79

[email protected]

web.nvd.nist.gov

simple seo

wordpress

cve-2022-1628

cross-site scripting

vulnerability

attribute-based stored-xss

nvd

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.6%

JSON

The Simple SEO plugin for WordPress is vulnerable to attribute-based stored Cross-Site Scripting in versions up to, and including 1.7.91, due to insufficient sanitization or escaping on the SEO social and standard title parameters. This can be exploited by authenticated users with Contributor and above permissions to inject arbitrary web scripts into posts/pages that execute whenever an administrator access the page.

Affected configurations

Vulners

NVD

Node

coledssimple_seoRange1.7.91–1.7.91

VendorProductVersionCPE
coledssimple_seo*cpe:2.3:a:coleds:simple_seo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
coleds	simple_seo	*	cpe:2.3:a:coleds:simple_seo::::::::

CNA Affected

[
  {
    "product": "Simple SEO",
    "vendor": "coleds",
    "versions": [
      {
        "lessThanOrEqual": "1.7.91",
        "status": "affected",
        "version": "1.7.91",
        "versionType": "custom"
      }
    ]
  }
]