WordPress Plugin Vulnerabilities

WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Affects Plugins

Plugin icon
wp-socializer
Fixed in 7.3

References

CVE
CVE-2022-2763

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Verified
Yes
WPVDB ID
36a7b872-31fa-4375-9be7-8f787e616ed5

Timeline

Publicly Published
2022-09-06 (about 3 years ago)
Added
2022-09-06 (about 3 years ago)
Last Updated
2022-09-06 (about 3 years ago)

Other

Published
Title
Published
2025-01-10
Title
User Messages <= 1.2.4 - Reflected XSS
Published
2024-10-24
Title
WP Abstracts < 2.7.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-05-20
Title
Formulario de contacto SalesUp! <= 1.0.14 - Reflected Cross-Site Scripting
Published
2025-04-24
Title
Carousel-of-post-images <= 1.07 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-10-17
Title
Skype Legacy Buttons <= 3.1 - Contributor+ Stored XSS