CVE-2022-2413

2024-01-1616:15:09

CWE-79

WPScan

web.nvd.nist.gov

cve-2022-2413

slide anything

wordpress

plugin

security vulnerability

javascript injection

admin pages

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

14.0%

JSON

The Slide Anything WordPress plugin before 2.3.47 does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled.

Affected configurations

Nvd

Vulners

Node

simonpedgeslide_anythingRange<2.3.47wordpress

VendorProductVersionCPE
simonpedgeslide_anything*cpe:2.3:a:simonpedge:slide_anything:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
simonpedge	slide_anything	*	cpe:2.3:a:simonpedge:slide_anything::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Slide Anything",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.3.47"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]