CVE-2022-1028 WordPress Security < 4.2.1 - Admin+ Stored Cross-Site Scripting

2022-06-2708:56:06

CWE-79

WPScan

www.cve.org

wordpress

cross-site scripting

security vulnerability

admin+ stored

EPSS

0.001

Percentile

24.8%

JSON

The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

CNA Affected

[
  {
    "product": "WordPress Security – Firewall, Malware Scanner, Secure Login and Backup",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "4.2.1",
        "status": "affected",
        "version": "4.2.1",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/16fc08ec-8476-4f3c-93ea-6a51ed880dd5

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2022-1028