WordPress Plugin Vulnerabilities

Sidebar Widgets by CodeLights <= 1.4 - Admin+ Stored Cross Site Scripting

Description

The plugin does not properly sanitize or escape the Extra CSS class parameter, allowing high privileged users, such as an administrator to inject arbitrary web scripts into pages, even when the unfiltered html capability is disabled (e.g in multisite setups.)

Affects Plugins

Plugin icon
codelights-shortcodes-and-widgets
No known fix

References

CVE
CVE-2022-4619

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
7eafe92f-b0ab-4417-834f-2c1920225347

Timeline

Publicly Published
2022-12-19 (about 3 years ago)
Added
2022-12-21 (about 3 years ago)
Last Updated
2022-12-21 (about 3 years ago)

Other

Published
Title
Published
2024-04-29
Title
WP Shortcodes Plugin — Shortcodes Ultimate < 7.1.3 - Contributor+ Stored XSS
Published
2022-08-22
Title
Classima < 2.1.11 - Reflected Cross-Site Scripting
Published
2026-01-08
Title
Image&Video FullScreen Background <= 1.6.7 - Reflected Cross-Site Scripting
Published
2025-03-31
Title
Ultimate Live Cricket WordPress Lite <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-20
Title
igumbi Online Booking < 1.41 - Authenticated (Contributor+) Stored Cross-Site Scripting