WordPress Plugin Vulnerabilities

Usersnap < 4.17 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape its API Key settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
usersnap
Fixed in 4.17

References

CVE
CVE-2022-47607

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
15c3b0b6-2658-48a2-90aa-694a077e5975

Timeline

Publicly Published
2023-02-02 (about 3 years ago)
Added
2023-03-30 (about 3 years ago)
Last Updated
2023-03-30 (about 3 years ago)

Other

Published
Title
Published
2024-11-21
Title
AffiliateImporterEb <= 1.0.6 - Reflected XSS
Published
2024-05-07
Title
Table Maker <= 1.9.1 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2023-03-17
Title
Bookly < 21.6 - Unauthenticated Stored XSS
Published
2024-04-24
Title
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More < 3.7.1 - Contributor+ Stored Cross-Site Scripting via Widget Post Overlay
Published
2026-02-26
Title
LambertGroup - AllInOne - Content Slider <= 3.8 - Reflected Cross-Site Scripting