WP Cerber Security < 9.2 – Unauthenticated Stored XSS | CVE 2022-4712 | Plugin Vulnerabilities

Description

The plugin is vulnerable to stored cross-site scripting via the log parameter when logging in to the site in versions up to, and including, 9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concept

1. Attempt to log in as a user with the following username:

username" onmouseover=alert(/xss/) "

2. As an admin user, view WP Cerber > Dashboard > Activity.

3. Mouse over the malicious username to trigger the XSS.

Affects Plugins

Fixed in 9.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Verified

Yes

WPVDB ID

913bcb29-4bdb-4767-8db7-50c6bbc7d542

Timeline

Publicly Published

2023-04-19 (about 2 years ago)

Added

2023-10-20 (about 2 years ago)

Last Updated

2023-10-20 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Zopim Live Chat <= 1.2.5 - XSS in ZeroClipboard

Published

2023-12-26

Title

HashBar – WordPress Notification Bar < 1.4.2 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2026-02-27

Title

Porto <= 7.6.2 - Reflected Cross-Site Scripting

Published

2025-06-27

Title

Free Downloads EDD <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-10-02

Title

Notice Bar < 3.1.1 - Contributor+ Stored XSS