Lucene search
WPScanCVE-2022-3904HistoryJan 16, 2023 - 4:15 p.m.
CVE-2022-3904
2023-01-1616:15:10
CWE-79
WPScan
web.nvd.nist.gov
48
cve-2022-3904
monsterinsights
wordpress plugin
web scripts
security vulnerability
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
0.001
Percentile
46.1%
The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.
Affected configurations
Node
monsterinsightsmonsterinsightsRange<8.9.1wordpress
| Vendor | Product | Version | CPE |
|---|---|---|---|
| monsterinsights | monsterinsights | * | cpe:2.3:a:monsterinsights:monsterinsights:*:*:*:*:*:wordpress:*:* |
CNA Affected
[
{
"vendor": "Unknown",
"product": "MonsterInsights",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "8.9.1"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]Related
prion
prion
Code injection
2023-01-16 16:15:00
wpexploit
wpexploit
MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
2022-12-23 00:00:00
openvas
openvas
wpvulndb
wpvulndb
MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
2022-12-23 00:00:00
nvd
nvd
CVE-2022-3904
2023-01-16 16:15:10
githubexploit
githubexploit
Exploit for Cross-site Scripting in Monsterinsights
2023-07-12 09:51:32
cvelist
cvelist
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
0.001
Percentile
46.1%
Related for CVE-2022-3904