WordPress Plugin Vulnerabilities

Permalink Manager Lite < 2.3.0 - Authenticated Stored XSS

Description

The plugin does not escape page/post and media titles, which could allow attackers to perform Stored XSS attacks when another plugin/theme allowing low privilege users to modify such titles is active on the blog as well

Affects Plugins

Plugin icon
permalink-manager
Fixed in 2.3.0

References

CVE
CVE-2022-4410

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Nicole Sheinin
Verified
No
WPVDB ID
004a4516-7704-40df-b939-7a8ceeb7e7de

Timeline

Publicly Published
2022-12-14 (about 3 years ago)
Added
2022-12-14 (about 3 years ago)
Last Updated
2022-12-14 (about 3 years ago)

Other

Published
Title
Published
2021-08-25
Title
MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting
Published
2026-02-10
Title
WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
Published
2024-06-05
Title
Frontend Checklist <= 2.3.2 - Admin+ Stored XSS
Published
2023-08-11
Title
ImageRecycle pdf & image compression < 3.1.12 - Reflected XSS
Published
2025-12-23
Title
Responsive Posts Carousel Pro < 15.3 - Authenticated (Contributor+) Stored Cross-Site Scripting