WordPress Plugin Vulnerabilities

Very Simple Breadcrumb <= 1.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Affects Plugins

Plugin icon
very-simple-breadcrumb
No known fix

References

CVE
CVE-2022-2149

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Rahul Selvakumar
Submitter
Rahul Selvakumar
Verified
Yes
WPVDB ID
40191e87-8648-47ef-add0-d7180e8ffe13

Timeline

Publicly Published
2022-06-21 (about 3 years ago)
Added
2022-06-21 (about 3 years ago)
Last Updated
2023-03-28 (about 2 years ago)

Other

Published
Title
Published
2022-12-02
Title
Chained Quiz < 1.3.2.3 - Admin+ Stored XSS
Published
2025-04-01
Title
Turisbook Booking System <= 1.3.8 - Contributor+ Stored XSS
Published
2025-09-05
Title
WordPress Events Calendar Plugin – connectDaily <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-11-24
Title
SEO Rank Reporter <= 2.2.2 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2025-11-20
Title
WP Company Info <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode