CVE-2022-4142

2023-01-0222:15:16

[email protected]

web.nvd.nist.gov

wordpress

filter gallery

html injection

javascript injection

administrator issue

security vulnerability

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.3%

JSON

The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfiltered_html capability is disabled.

Affected configurations

Nvd

Node

wordpress_filter_gallery_projectwordpress_filter_galleryRange<0.1.6wordpress

VendorProductVersionCPE
wordpress_filter_gallery_projectwordpress_filter_gallery*cpe:2.3:a:wordpress_filter_gallery_project:wordpress_filter_gallery:*:*:*:*:*:wordpress:*:*