CVE-2022-4410

2022-12-1422:15:11

CWE-79

[email protected]

web.nvd.nist.gov

permalink manager lite

wordpress

stored cross-site scripting

vulnerability

post/page/media titles

improper output escaping

arbitrary web scripts

plugin

theme

unfiltered_html

cross-site scripting

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. This makes it possible for attackers to inject arbitrary web scripts on the permalink-manager page if another plugin or theme is installed on the site that allows lower privileged users with unfiltered_html the ability to modify post/page titles with malicious web scripts.

Affected configurations

Nvd

Node

permalink_manager_lite_projectpermalink_manager_liteRange≤2.2.20.3wordpress

VendorProductVersionCPE
permalink_manager_lite_projectpermalink_manager_lite*cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
permalink_manager_lite_project	permalink_manager_lite	*	cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite::::::wordpress::*

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2833667%40permalink-manager&new=2833667%40permalink-manager&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/6cbf9636-9d9d-44d4-b873-8920f2dbb846