WordPress Plugin Vulnerabilities

Night Mode < 1.4.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks woven when unfiltered_html is disallowed

Affects Plugins

Plugin icon
night-mode
Fixed in 1.4.0

References

CVE
CVE-2022-29418

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ex.Mi
Verified
No
WPVDB ID
0f43781b-62ea-4a82-a474-0ab17e51609b

Timeline

Publicly Published
2022-04-25 (about 4 years ago)
Added
2022-04-25 (about 4 years ago)
Last Updated
2022-04-27 (about 4 years ago)

Other

Published
Title
Published
2024-12-13
Title
glomex oEmbed < 0.9.2 - Contributor+ Stored XSS
Published
2024-04-16
Title
Backend Designer < 1.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-12-17
Title
DesignThemes Portfolio Addon <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-15
Title
Bounce Handler MailPoet 3 <= 1.3.21 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
MF Gig Calendar 0.9.4.1 - URL Cross-Site Scripting