CVE-2022-0994 Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting

2022-04-1817:10:41

CWE-79

WPScan

www.cve.org

hummingbird

wordpress

cve-2022-0994

cross-site scripting

admin

config name

EPSS

0.001

Percentile

24.8%

JSON

The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CNA Affected

[
  {
    "product": "Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "3.3.2",
        "status": "affected",
        "version": "3.3.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2022-0994