Lucene search

[email protected]NVD:CVE-2022-4464

HistoryJan 16, 2023 - 4:15 p.m.

CVE-2022-4464

2023-01-1616:15:12

[email protected]

web.nvd.nist.gov

wordpress

plugin

vulnerability

stored cross-site scripting

admin

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.4%

JSON

Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin.

Affected configurations

Nvd

Node

themifyportfolio_postRange<1.2.1wordpress

VendorProductVersionCPE
themifyportfolio_post*cpe:2.3:a:themify:portfolio_post:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
themify	portfolio_post	*	cpe:2.3:a:themify:portfolio_post::::::wordpress::*

References

wpscan.com/vulnerability/1d3636c1-976f-4c84-8cca-413e38170d0c