WordPress Plugin Vulnerabilities

Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Affects Plugins

Plugin icon
miniorange-google-authenticator
Fixed in 1.0.8

References

CVE
CVE-2022-1994

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Niraj Mahajan
Submitter
Niraj Mahajan
Submitter website
https://www.linkedin.com/in/niraj1mahajan/
Submitter twitter
niraj1mahajan
Verified
Yes
WPVDB ID
114d94be-b567-4b4b-9a44-f2c05cdbe18e

Timeline

Publicly Published
2022-06-06 (about 3 years ago)
Added
2022-06-06 (about 3 years ago)
Last Updated
2023-03-07 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Product Catalog Simple < 1.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-19
Title
Jobs for WordPress < 2.7.15 - Contributor+ Stored XSS
Published
2021-08-13
Title
WP Songbook <= 2.0.11 - Reflected Cross-Site Scripting
Published
2016-10-21
Title
Heat Trackr <= 1.0 - XSS
Published
2021-07-29
Title
Alojapro Widget < 1.1.16 - Authenticated Stored Cross-Site Scripting (XSS)