WP Home Page Menu < 3.1 – Admin+ Stored Cross-Site Scripting | CVE 2022-0684

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in any of text field settings of the plugin (such as 'Home Page Menu Label'): "><svg onload=alert(/XSS/)>

Affects Plugins

wp-home-page-menu

Fixed in 3.1

References

CVE

CVE-2022-0684

URL

https://plugins.trac.wordpress.org/changeset/2681478

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

fuzzyap1

Submitter

fuzzyap1

Verified

Yes

WPVDB ID

69b178f3-5951-4879-9bbe-183951d002ec

Timeline

Publicly Published

2022-02-21 (about 3 years ago)

Added

2022-02-21 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2020-07-15

Title

Golo < 1.3.3 - Unauthenticated Reflected XSS

Published

2025-04-21

Title

Ocean Extra < 2.4.7 - Contributor+ Stored XSS via Shortcode

Published

2024-12-20

Title

WP on AWS < 5.2.2 - Reflected Cross-Site Scripting

Published

2024-11-20

Title

Grey Owl Lightbox <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-08-18

Title

Jock on air now < 5.6.3 - Authenticated Stored Cross-Site Scripting