First published: Mon Jan 16 2023(Updated: )
The Metricool WordPress plugin before 1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Metricool Metricool | <1.18 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2022-4299.
CVE-2022-4299 has a severity rating of medium.
The Metricool WordPress plugin versions prior to 1.18 are affected by CVE-2022-4299.
CVE-2022-4299 allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks.
To mitigate CVE-2022-4299, update the Metricool WordPress plugin to version 1.18 or higher.