WordPress Plugin Vulnerabilities

WP Hide & Security Enhancer < 1.8 - Reflected Cross-Site Scripting

Description

The plugin does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
wp-hide-security-enhancer
Fixed in 1.8

References

CVE
CVE-2022-2538

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Submitter twitter
kazet1234
Verified
Yes
WPVDB ID
afa1e159-30bc-42d2-b3f8-8c868b113d3e

Timeline

Publicly Published
2022-08-08 (about 3 years ago)
Added
2022-08-08 (about 3 years ago)
Last Updated
2023-04-12 (about 2 years ago)

Other

Published
Title
Published
2025-07-31
Title
BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites < 3.2.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Image Slider Widgets
Published
2025-11-10
Title
Precise Columns <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-28
Title
Photo Gallery < 1.8.3 - Stored XSS via CSRF
Published
2014-08-01
Title
Blooog 1.1 - jplayer.swf Cross Site Scripting
Published
2025-06-25
Title
web-cam < 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter