WordPress Plugin Vulnerabilities

WP Paginate < 2.1.9 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfiltered_html is disallowed

Proof of Concept

Affects Plugins

Plugin icon
wp-paginate
Fixed in 2.1.9

References

CVE
CVE-2022-2050

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
2.6 (low)

Miscellaneous

Original Researcher
iohex
Submitter
iohex
Submitter twitter
iohehe
Verified
Yes
WPVDB ID
016453e3-803b-4a67-8ea7-2d228c2998d4

Timeline

Publicly Published
2022-06-16 (about 3 years ago)
Added
2022-06-16 (about 3 years ago)
Last Updated
2023-03-20 (about 2 years ago)

Other

Published
Title
Published
2025-06-18
Title
Smart Notification <= 10.3 - Reflected Cross-Site Scripting
Published
2025-02-03
Title
Smartarget <= 1.5.3 - Subscriber+ Stored XSS
Published
2024-06-05
Title
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution < 4.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via hover_animation Parameter
Published
2025-01-16
Title
Ni WooCommerce Sales Report Email <= 3.1.4 - Reflected Cross-Site Scripting
Published
2025-03-03
Title
AFI < 1.100.0 - Admin+ Stored XSS