CVE-2022-4824: WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode
First published: Mon Feb 06 2023(Updated: )
The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Essentialplugin Wp Blog And Widget | <2.3.1 | |
| <2.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-4824?
CVE-2022-4824 is considered a medium severity vulnerability due to its potential for Stored Cross-Site Scripting attacks.
How do I fix CVE-2022-4824?
To fix CVE-2022-4824, update the WP Blog and Widgets plugin to version 2.3.1 or later.
Who is affected by CVE-2022-4824?
Users with roles as low as contributor can exploit CVE-2022-4824 due to improper validation and escaping of shortcode attributes.
What type of vulnerability is CVE-2022-4824?
CVE-2022-4824 is categorized as a Stored Cross-Site Scripting (XSS) vulnerability.
Which versions of the WP Blog and Widgets plugin are vulnerable to CVE-2022-4824?
WP Blog and Widgets plugin versions prior to 2.3.1 are vulnerable to CVE-2022-4824.
- collector/nvd-index
- agent/type
- agent/references
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/essentialplugin
- canonical/essentialplugin wp blog and widget