WordPress Plugin Vulnerabilities

IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Affects Plugins

Plugin icon
imdb-info-box
No known fix

References

CVE
CVE-2022-1294

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Fayçal CHENA
Submitter
Fayçal CHENA
Submitter website
https://fafachena.com/
Submitter twitter
faycal_chena
Verified
Yes
WPVDB ID
205a24b8-6d14-4458-aecd-79748e1324c7

Timeline

Publicly Published
2022-05-09 (about 3 years ago)
Added
2022-05-09 (about 3 years ago)
Last Updated
2022-05-10 (about 3 years ago)

Other

Published
Title
Published
2025-01-03
Title
Email Reminders < 2.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2022-09-12
Title
DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting
Published
2014-08-01
Title
ZooEffect 1.08 - HTTP Referer Reflected XSS
Published
2023-10-25
Title
WP Simple HTML Sitemap < 2.3 - Reflected XSS
Published
2025-06-02
Title
Ocean Extra < 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting