WordPress Plugin Vulnerabilities

WP Maintenance < 6.0.8 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-maintenance
Fixed in 6.0.8

References

CVE
CVE-2022-30536

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
BEE-K
Verified
Yes
WPVDB ID
142c2bf9-50c2-477c-9de0-5b2860abca49

Timeline

Publicly Published
2022-06-28 (about 3 years ago)
Added
2022-07-25 (about 3 years ago)
Last Updated
2023-04-21 (about 3 years ago)

Other

Published
Title
Published
2021-10-14
Title
Author Bio Box < 3.4.0 - Admin+ Stored Cross-Site Scripting
Published
2026-03-25
Title
Blackhole for Bad Bots < 3.8.1 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header
Published
2026-02-18
Title
Groups < 3.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode
Published
2025-05-02
Title
Personizely < 0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via widgetId Parameter
Published
2023-05-22
Title
AI ChatBot < 4.5.5 - Admin+ Stored Cross-Site Scripting