Image optimization & Lazy Load < 3.3.2 – Admin+ Stored Cross-Site Scripting | CVE 2022-0969 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payload in the Media > Optimole > Advanced > Lazyload > Lazyload background images for selectors settings: </sCriPT><sVg ONLoAd=confirm(1)//

The XSS will be triggered in each page of the frontend, as well as in the admin dashboard

Affects Plugins

Fixed in 3.3.2

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2695242

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Submitter

Mika

Submitter website

https://mikadmin.fr/

Submitter twitter

Verified

Yes

WPVDB ID

59a7a441-7384-4006-89b4-15345f70fabf

Timeline

Publicly Published

2022-03-21 (about 3 years ago)

Added

2022-03-21 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2021-04-01

Title

Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-01-24

Title

WP Contact Form7 Email Spam Blocker <= 1.0.0 - Reflected Cross-Site Scripting

Published

2024-10-03

Title

Re:WP < 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2023-09-05

Title

User Submitted Posts < 20230901 - Contributor+ Stored XSS via Shortcode

Published

2025-05-19

Title

bunny.net < 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting