First published: Mon Jan 23 2023(Updated: )
The Compact WP Audio Player WordPress plugin before 1.9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Tipsandtricks-hq Compact Wp Audio Player | <1.9.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-4542 is medium with a CVSS score of 5.4.
The vulnerability in the Compact WP Audio Player WordPress plugin before version 1.9.8 is a Stored Cross-Site Scripting (XSS) vulnerability.
Users of the Compact WP Audio Player WordPress plugin before version 1.9.8 are affected by CVE-2022-4542.
An attacker with a role as low as contributor can exploit this vulnerability by injecting malicious scripts into the plugin's shortcode attributes.
Yes, upgrading to version 1.9.8 of the Compact WP Audio Player WordPress plugin fixes CVE-2022-4542.