AFS Analytics <= 4.22 – Admin+ Stored XSS | CVE 2022-37402

Affects Plugins

No known fix

References

CVE

CVE-2022-37402

URL

https://patchstack.com/database/wordpress/plugin/addfreestats/vulnerability/wordpress-afs-analytics-plugin-4-15-auth-stored-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

ptsfence

Verified

No

WPVDB ID

7a7f68e9-a8db-40aa-83dd-9f9cbbbc3abd

Timeline

Publicly Published

2022-10-31 (about 3 years ago)

Added

2023-03-15 (about 3 years ago)

Last Updated

2025-06-09 (about 11 months ago)

Other

Published

Title

Published

2024-06-28

Title

Elementor Website Builder < 3.22.2 - Contributor+ Arbitrary SVG Download

Published

2025-01-14

Title

Partners <= 0.2.0 - Reflected Cross-Site Scripting

Published

2024-09-30

Title

Online Booking & Scheduling Calendar for WordPress by vcita < 4.5 - Reflected Cross-Site Scripting

Published

2025-07-07

Title

AI Engine < 2.8.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via `mwai_chatbot` Shortcode `id` Parameter

Published

2026-04-13

Title

Surbma | Booking.com < 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode