CVE-2022-3892 WP OAuth Server < 4.2.2 - Admin+ Stored XSS

2022-12-0516:50:32

WPScan

www.cve.org

wp oauth server

plugin

vulnerability

stored xss

attack

wordpress

admin

client ids

high privilege

cross-site scripting

unfiltered html

multisite setup

0.001 Low

EPSS

Percentile

24.9%

JSON

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WP OAuth Server (OAuth Authentication)",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "4.2.2"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

wpscan.com/vulnerability/33dddaec-a32a-4fce-89d6-164565be13e1

0.001 Low

EPSS

Percentile

24.9%

JSON

Related for CVELIST:CVE-2022-3892