WordPress Plugin Vulnerabilities

Find and Replace All < 1.3 - Reflected Cross Site Scripting

Description

The plugin does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
find-and-replace-all
Fixed in 1.3

References

CVE
CVE-2022-2311

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Submitter
Vinay Varma Mudunuri
Verified
Yes
WPVDB ID
287a14dc-d1fc-481d-84af-7eb172dc68c9

Timeline

Publicly Published
2022-11-03 (about 3 years ago)
Added
2022-11-03 (about 3 years ago)
Last Updated
2022-11-03 (about 3 years ago)

Other

Published
Title
Published
2024-12-05
Title
Wot Elementor Widgets <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-29
Title
MaxButtons < 9.8.1 - Admin+ Stored XSS via Text Color
Published
2025-06-27
Title
WP Visual Sitemap <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-06
Title
Pets <= 1.4.1 - Reflected Cross-Site Scripting
Published
2024-06-22
Title
WP eMember < 10.6.6 - Reflected XSS