WordPress Plugin Vulnerabilities

Gwyn's Imagemap Selector <= 0.3.3 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
gwyns-imagemap-selector
No known fix

References

CVE
CVE-2022-1221

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Submitter
p7e4
Submitter website
https://github.com/p7e4
Submitter twitter
p7e4_
Verified
Yes
WPVDB ID
641be9f6-2f74-4386-b16e-4b9488f0d2a9

Timeline

Publicly Published
2022-04-26 (about 3 years ago)
Added
2022-04-26 (about 3 years ago)
Last Updated
2022-04-27 (about 3 years ago)

Other

Published
Title
Published
2025-05-07
Title
Woobox < 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-07
Title
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor < 3.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Wistia Block
Published
2024-03-07
Title
Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Messenger Chat Widget
Published
2025-10-23
Title
Sprout Clients < 3.2.2 - Reflected Cross-Site Scripting
Published
2024-04-16
Title
Restaurant Menu – Food Ordering System – Table Reservation < 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting