User Registration, Login & Landing Pages <= 1.2.7 – Admin+ Stored Cross-Site Scripting | CVE 2022-0232 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

custom-landing-pages-leadmagic

No known fix

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0232

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Big Tiger

Verified

Yes

WPVDB ID

ac55ffd1-b1e3-4ace-9d3a-d2ecb33a4a94

Timeline

Publicly Published

2022-01-18 (about 4 years ago)

Added

2022-01-18 (about 4 years ago)

Last Updated

2022-04-08 (about 4 years ago)

Other

Published

Title

Published

2025-12-31

Title

Post Signature <= 0.4.1 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2025-05-07

Title

Contest Gallery < 26.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2025-01-07

Title

Simple Locator <= 2.0.4 - Reflected Cross-Site Scripting

Published

2025-06-04

Title

Forminator < 1.44.2 - Contributor+ Stored DOM-Based XSS via id and data-size Parameters

Published

2018-12-10

Title

WooCommerce <= 3.4.5 - Authenticated Stored XSS