CVE-2022-4838: Clean Login < 1.13.7 - Contributor+ Stored XSS via Shortcode
First published: Mon Feb 06 2023(Updated: )
The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Codection Clean Login | <1.13.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for the Clean Login WordPress plugin?
The vulnerability ID for the Clean Login WordPress plugin is CVE-2022-4838.
What is the severity of CVE-2022-4838?
The severity of CVE-2022-4838 is medium with a severity value of 5.4.
How can the Clean Login WordPress plugin be exploited?
The Clean Login WordPress plugin can be exploited through Stored Cross-Site Scripting attacks.
Who is affected by CVE-2022-4838?
Users of the Clean Login WordPress plugin version up to 1.13.7 are affected by CVE-2022-4838.
Is there a fix available for CVE-2022-4838?
Yes, updating the Clean Login WordPress plugin to version 1.13.7 or later will fix CVE-2022-4838.
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/severity
- agent/last-modified-date
- agent/title
- agent/weakness
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/codection
- canonical/codection clean login