CVE-2022-4243

🗓️ 26 Dec 2022 12:28:00Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 52 Views🌐 WEB

The ImageInject WordPress plugin allows Stored XSS attacks by high privilege users

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2022-4243	26 Dec 202216:40	–	circl
CNNVD	WordPress plugin ImageInject 跨站脚本漏洞	26 Dec 202200:00	–	cnnvd
Cvelist	CVE-2022-4243 ImageInject <= 1.17 - Admin+ Stored XSS	26 Dec 202212:28	–	cvelist
EUVD	EUVD-2022-51601	3 Oct 202520:07	–	euvd
NVD	CVE-2022-4243	26 Dec 202213:15	–	nvd
OSV	CVE-2022-4243	26 Dec 202213:15	–	osv
Prion	Cross site scripting	26 Dec 202213:15	–	prion
Positive Technologies	PT-2022-26432 · WordPress · Imageinject	26 Dec 202200:00	–	ptsecurity
RedhatCVE	CVE-2022-4243	23 May 202500:35	–	redhatcve
Vulnrichment	CVE-2022-4243 ImageInject <= 1.17 - Admin+ Stored XSS	26 Dec 202212:28	–	vulnrichment

NVD

Vulners

Node

wpscoop imageinjectRange≤1.17wordpress

[
  {
    "vendor": "Unknown",
    "product": "ImageInject",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "1.17"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/fc1fc057-97ee-4a10-909f-2f11eafa0bd0

Parameter	Position	Path	Description	CWE
_wpnonce	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
advanced_attr_template	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
advanced_attr_template_multi	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
advanced_filename_template	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
flickr_enabled	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
flickr_license	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
flickr_sort	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
pixabay_enabled	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
pixabay_image_type	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79
general_save_images	request body	wp-admin/options-general.php?page=wpdf-options	Stored XSS via unsanitised settings in ImageInject plugin (version up to 1.17) allowing admin to inject scripts through template fields.	CWE-79

12 Apr 2025 00:15Current

4.7Medium risk

Vulners AI Score4.7

CVSS 3.14.8

EPSS0.00288

SSVC