WordPress Plugin Vulnerabilities

Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled.

Proof of Concept

Affects Plugins

Plugin icon
digiproveblog
No known fix

References

CVE
CVE-2022-1906

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
af4f459e-e60b-4384-aad9-0dc18aa3b338

Timeline

Publicly Published
2022-07-07 (about 3 years ago)
Added
2022-07-07 (about 3 years ago)
Last Updated
2023-04-11 (about 2 years ago)

Other

Published
Title
Published
2021-09-08
Title
User Activation Email <= 1.3.0 - Reflected Cross-Site Scripting
Published
2025-05-01
Title
Taxonomy Chain Menu < 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via pn_chain_menu Shortcode
Published
2023-05-09
Title
GTmetrix for WordPress < 0.4.6 - Reflected Cross-Site Scripting
Published
2025-05-23
Title
Page Builder: Pagelayer – Drag and Drop website builder < 2.0.1 - Reflected Cross-Site Scripting via login_url Parameter
Published
2023-04-18
Title
YellowPencil Visual CSS Style Editor < 7.5.9 - Admin+ Stored XSS