WordPress Plugin Vulnerabilities

Smush < 3.9.9 - Admin+ Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file

Proof of Concept

Affects Plugins

Plugin icon
wp-smushit
Fixed in 3.9.9

References

CVE
CVE-2022-1009

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
2.6 (low)

Miscellaneous

Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
https://taurusomar.com
Submitter twitter
taurusomar_
Verified
Yes
WPVDB ID
bb5af08f-bb19-46a1-a7ac-8381f428c11e

Timeline

Publicly Published
2022-05-03 (about 3 years ago)
Added
2022-05-03 (about 3 years ago)
Last Updated
2022-05-04 (about 3 years ago)

Other

Published
Title
Published
2024-10-03
Title
Product Delivery Date for WooCommerce – Lite < 2.7.4 - Reflected Cross-Site Scripting
Published
2025-09-09
Title
Dynamic Text Field For Contact Form 7 < 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-07-10
Title
Feeds for YouTube (YouTube video, channel, and gallery plugin) < 2.2.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Published
2023-01-04
Title
Pricing Tables WordPress Plugin – Easy Pricing Tables < 3.2.3 - Contributor+ Stored XSS via Shortcode
Published
2024-11-08
Title
OpenCart Product Display <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting