First published: Mon Aug 01 2022(Updated: )
The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Timersys Popups | <=1.9.3.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-2305 is a vulnerability in the WordPress Popup WordPress plugin through 1.9.3.8 that allows high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed.
The severity of CVE-2022-2305 is medium with a severity value of 4.8.
CVE-2022-2305 affects Timersys Popups plugin through version 1.9.3.8.
The Common Weakness Enumeration (CWE) ID for CVE-2022-2305 is CWE-79.
To fix CVE-2022-2305, you should update the WordPress Popup WordPress plugin to version 1.9.3.9 or higher.