CVE-2022-4824 WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode

2023-02-0619:59:10

WPScan

www.cve.org

cve-2022-4824

wp blog and widget

stored xss

shortcode

contributor

cross-site scripting

wordpress plugin

EPSS

0.001

Percentile

25.5%

JSON

The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WP Blog and Widgets",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "2.3.1"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/9af8e425-c477-4e2b-9445-70ffb769f3f0

EPSS

0.001

Percentile

25.5%

JSON

Related for CVELIST:CVE-2022-4824