Lucene search
WPScanCVELIST:CVE-2022-1393HistoryMay 16, 2022 - 2:30 p.m.
CVE-2022-1393 WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
2022-05-1614:30:51
CWE-79
WPScan
www.cve.org
2
cve-2022-1393
wp subtitle
cross-site scripting
authenticated users
EPSS
0.001
Percentile
24.8%
The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the key: “wps_subtitle”, which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button (via AJAX) - and this makes the XSS exploitable by authenticated users with a role as low as contributor.
CNA Affected
[
{
"product": "WP Subtitle",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.1",
"versionType": "custom"
}
]
}
]Related
cnvd
cnvd
WordPress WP Subtitles plugin cross-site scripting vulnerability
2022-05-18 00:00:00
wpexploit
wpexploit
WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
2022-04-25 00:00:00
patchstack
patchstack
wpvulndb
wpvulndb
WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
2022-04-25 00:00:00
prion
prion
Code injection
2022-05-16 15:15:00
nvd
nvd
CVE-2022-1393
2022-05-16 15:15:09
cve
cve
CVE-2022-1393
2022-05-16 15:15:09