WordPress Plugin Vulnerabilities

Header Footer Code Manager < 1.1.17 - Reflected Cross-Site Scripting

Description

The plugin does not escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Affects Plugins

Plugin icon
header-footer-code-manager
Fixed in 1.1.17

References

CVE
CVE-2022-0710
URL
https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Verified
Yes
WPVDB ID
23df8f1f-feb9-4d42-9b91-130acf656e71

Timeline

Publicly Published
2022-02-22 (about 4 years ago)
Added
2022-02-22 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2014-08-01
Title
Schreikasten 0.14.13 - wp-admin/admin-ajax.php Multiple Parameter XSS
Published
2024-05-21
Title
Automatic Translator with Google Translate <= 1.5.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Custom Font
Published
2023-11-20
Title
EmbedPress < 3.9.2 - Reflected XSS
Published
2025-06-05
Title
The Events Calendar Countdown Addon < 1.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-19
Title
Kleo < 5.4.4 - Reflected Cross-Site Scripting