CVE-2022-4718: Landing Page Builder < 1.4.9.9 - Contributor+ Cross-Site Scripting via Shortcode
First published: Mon Jan 23 2023(Updated: )
The Landing Page Builder WordPress plugin before 1.4.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PluginOps Landing Page Builder | <1.4.9.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-4718.
What is the severity of CVE-2022-4718?
CVE-2022-4718 has a severity of medium.
What is the affected software by CVE-2022-4718?
The affected software by CVE-2022-4718 is the Landing Page Builder WordPress plugin before version 1.4.9.9.
What is the impact of CVE-2022-4718?
CVE-2022-4718 allows users with a role as low as contributor to perform Stored Cross-Site Scripting (XSS) attacks.
How can I fix CVE-2022-4718?
To fix CVE-2022-4718, update the Landing Page Builder WordPress plugin to version 1.4.9.9 or later.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/title
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pluginops
- canonical/pluginops landing page builder