WordPress Plugin Vulnerabilities

Header Footer Code Manager < 1.1.24 - Reflected Cross-Site Scripting

Description

The plugin does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
header-footer-code-manager
Fixed in 1.1.24

References

CVE
CVE-2022-0899

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
https://taurusomar.com
Submitter twitter
taurusomar_
Verified
Yes
WPVDB ID
1772417a-1abb-4d97-9694-1254840defd1

Timeline

Publicly Published
2022-07-04 (about 3 years ago)
Added
2022-07-04 (about 3 years ago)
Last Updated
2023-04-07 (about 2 years ago)

Other

Published
Title
Published
2024-10-24
Title
Firelight Lightbox < 2.3.4 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2025-09-05
Title
WP-GraphViz <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-14
Title
Post and Page Builder by BoldGrid < 1.27.6 - Contributor+ Stored XSS
Published
2021-07-19
Title
Custom Login Redirect <= 1.0.0 - CSRF to Stored XSS
Published
2023-01-03
Title
PDF Viewer < 1.0.0 - Contributor+ Stored XSS via Shortcode