WordPress Plugin Vulnerabilities

Breeze < 2.0.3 - Subscriber+ Arbitrary Settings Update to Stored XSS

Description

The plugin is lacking authorisation, CSRF and sanitisation in its AJAX actions available to any authenticated users, which could allow any logged in user to change the plugin's settings and perform XSS attacks

Affects Plugins

Plugin icon
breeze
Fixed in 2.0.3

References

CVE
CVE-2022-29444

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
dab64366-a42f-4625-924a-18a83a70addc

Timeline

Publicly Published
2022-05-02 (about 4 years ago)
Added
2022-05-02 (about 4 years ago)
Last Updated
2022-05-03 (about 4 years ago)

Other

Published
Title
Published
2026-05-12
Title
MonsterInsights < 10.1.3 - Subscriber+ Sensitive Information Exposure and Plugin Integration Reset
Published
2024-04-29
Title
Exclusive Addons Elementor < 2.6.9.2 - Missing Authorization to Post Duplication
Published
2025-12-18
Title
DirectoryPress – Business Directory And Classified Ad Listing < 3.6.27 - Missing Authorization
Published
2026-03-15
Title
Tutor LMS < 3.9.8 - Missing Authorization
Published
2025-12-31
Title
Vireo <= 1.0.24 - Missing Authorization