Skip to main content

CVE-2022-4519

Severity Medium
Score 4.8/10

Summary

The WP User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • HIGH
  • LOW
  • NONE

References

Advisory Timeline

  • Published