WordPress Plugin Vulnerabilities

LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Affects Plugins

Plugin icon
company-updates-for-linkedin
No known fix

References

CVE
CVE-2022-2148

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Submitter
Vinay Varma Mudunuri
Verified
Yes
WPVDB ID
92214311-da6d-49a8-95c9-86f47635264f

Timeline

Publicly Published
2022-06-21 (about 3 years ago)
Added
2022-06-21 (about 3 years ago)
Last Updated
2023-03-28 (about 2 years ago)

Other

Published
Title
Published
2025-10-02
Title
Interactive Medical Drawing of Human Body <= 2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-09-26
Title
Team Members < 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
Gigaom Sphinx <= 0.1 - Reflected Cross-Site Scripting
Published
2025-01-03
Title
Astra Widgets < 1.2.16 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-18
Title
Gutenslider < 5.2.0 - Contributor+ Stored XSS