CVE-2022-3904

2023-01-1616:15:10

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-3904

monsterinsights

wordpress plugin

web scripts

security vulnerability

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

50.3%

JSON

The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.

Affected configurations

Vulners

NVD

Node

monsterinsightsmonsterinsightsRange<8.9.1

VendorProductVersionCPE
monsterinsightsmonsterinsights*cpe:2.3:a:monsterinsights:monsterinsights:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
monsterinsights	monsterinsights	*	cpe:2.3:a:monsterinsights:monsterinsights::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "MonsterInsights",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "8.9.1"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]