WordPress Plugin Vulnerabilities

Nested Pages < 3.1.21 - Admin+ Stored Cross Site Scripting

Description

The plugin does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed

Proof of Concept

Affects Plugins

Plugin icon
wp-nested-pages
Fixed in 3.1.21

References

CVE
CVE-2022-1990

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Sachin Bahl from eSec Forte Technologies Pvt Ltd
Submitter
Sachin Bahl from eSec Forte Technologies Pvt Ltd
Submitter website
https://www.linkedin.com/in/sachin-bahl-6072084/
Verified
Yes
WPVDB ID
42f1bf1f-95a8-41ee-a637-88deb80ab870

Timeline

Publicly Published
2022-06-06 (about 3 years ago)
Added
2022-06-06 (about 3 years ago)
Last Updated
2023-03-09 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
2-Click-Socialmedia-Buttons <= 0.34 - Cross Site Scripting
Published
2015-06-04
Title
Events Manager < 5.5.7.1 - DOM Cross-Site Scripting (XSS)
Published
2025-08-14
Title
Radius Blocks <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via subHeadingTagName Parameter
Published
2012-05-15
Title
WP Statistics <= 2.2.4 - Cross-Site Scripting (XSS)
Published
2023-06-08
Title
FiboSearch - AJAX Search for WooCommerce < 1.24.0 - Admin+ Stored Cross-Site Scripting