WordPress Plugin Vulnerabilities

Traffic Manager <= 1.4.5 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not authorisation and does not sanitise as well as escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
traffic-manager
No known fix

References

CVE
CVE-2022-42460

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
49e02d19-3f23-433a-8b84-15a5b3831a86

Timeline

Publicly Published
2022-10-24 (about 3 years ago)
Added
2022-11-11 (about 3 years ago)
Last Updated
2022-11-11 (about 3 years ago)

Other

Published
Title
Published
2025-08-07
Title
BaiduXZH Submit(百度熊掌号) <= 1.4.6 - Reflected Cross-Site Scripting
Published
2025-07-21
Title
WP-Members < 3.5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-04-08
Title
UsersWP < 1.2.61 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution
Published
2015-04-20
Title
Related Posts < 1.8.2 - XSS
Published
2022-08-10
Title
Best Payments Plugin for WP < 4.2.1 - Unauthenticated Stored Cross-Site Scripting