WordPress Plugin Vulnerabilities

Plausible Analytics < 1.2.3 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Affects Plugins

Plugin icon
plausible-analytics
Fixed in 1.2.3

References

CVE
CVE-2022-27845

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Jose Aguilera
Verified
No
WPVDB ID
0302db42-b7ce-41cb-90f0-80aedb7d2bda

Timeline

Publicly Published
2022-04-07 (about 3 years ago)
Added
2022-04-12 (about 3 years ago)
Last Updated
2022-05-11 (about 3 years ago)

Other

Published
Title
Published
2025-11-13
Title
Shopkeeper Extender < 7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-07
Title
WP2Social Auto Publish < 2.4.8 - Reflected Cross-Site Scripting via PostMessage
Published
2024-09-02
Title
Quiz and Survey Master (QSM) < 9.1.3 - Author+ Stored XSS
Published
2014-08-01
Title
Thank You Counter Button <= 1.8.2 - Cross-Site Scripting (XSS)
Published
2024-04-12
Title
Easy Contact Form Lite < 1.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting