Loading Page with Loading Screen < 1.0.83 – Admin+ Stored Cross-Site Scripting | CVE 2022-2169 | Plugin Vulnerabilities

Description

The plugin does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Go to Settings -> Loading Page, in the "Display loading screen in" settings, select either "specific pages" or "specific post types" and ut the following payload in the related text field: "onmouseover=alert(/XSS/)//

Affects Plugins

Fixed in 1.0.83

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nikhil Kapoor

Submitter

Nikhil Kapoor

Submitter website

https://www.linkedin.com/in/nikhil786/

Verified

Yes

WPVDB ID

a9f4aab7-b42b-4bb6-b05d-05407f935230

Timeline

Publicly Published

2022-06-23 (about 3 years ago)

Added

2022-06-23 (about 3 years ago)

Last Updated

2023-04-01 (about 2 years ago)

Other

Published

Title

Published

2024-01-18

Title

Booking for Appointments and Events Calendar – Amelia < 1.0.94 - Contributor+ Stored Cross-Site Scripting via shortcode

Published

2025-09-05

Title

Stagtools <= 2.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-04

Title

Brizy – Page Builder < 2.4.44 - Authenticated(Contributor+) Stored Cross-Site Scripting via Form Functionality

Published

2023-05-09

Title

Restaurant Menu < 2.3.7 - Reflected XSS

Published

2021-09-21

Title

Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting