Google Places Review < 2.0.0 – Admin+ Stored Cross Site Scripting | CVE 2022-1772

Description

The plugin does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.

Proof of Concept

Put the following payload in the "Google Places API Key" settings of the plugin: test" onfocus=javascript:alert('xss') height="

Affects Plugins

google-places-reviews

Fixed in 2.0.0

References

CVE

CVE-2022-1772

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Krishna Harsha Kondaveeti

Submitter

krishna harsha

Verified

Yes

WPVDB ID

02addade-d191-4e45-b7b5-2f3f673679ab

Timeline

Publicly Published

2022-05-17 (about 3 years ago)

Added

2022-05-17 (about 3 years ago)

Last Updated

2022-05-18 (about 3 years ago)

Other

Published

Title

Published

2022-05-23

Title

Keep Backup Daily < 2.0.3 - Reflected Cross-Site Scripting

Published

2015-09-15

Title

WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)

Published

2025-09-22

Title

Custom iFrame for Elementor < 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-11

Title

Category Icon < 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2024-12-11

Title

FAQ And Answers – Create Frequently Asked Questions Area on WP Sites < 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting