WordPress Plugin Vulnerabilities

Image Hover Effects Ultimate < 9.8.0 - Authenticated Stored XSS

Description

The plugin does not sanitise and escape the Media Image URL, Video Link, Title and Description field of an Image Hover, which could lead to Stored XSS when low privileged users are allowed to access the plugin's feature (which can be set via the plugin settings)

Affects Plugins

Plugin icon
image-hover-effects-ultimate
Fixed in 9.8.0

References

CVE
CVE-2022-2935
CVE
CVE-2022-2936
CVE
CVE-2022-2937

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Zhouyuan Yang
Verified
No
WPVDB ID
df267645-5b46-47a0-b6ef-d0c1d8f16231

Timeline

Publicly Published
2022-08-31 (about 3 years ago)
Added
2022-08-31 (about 3 years ago)
Last Updated
2022-08-31 (about 3 years ago)

Other

Published
Title
Published
2025-03-28
Title
FormLift for Infusionsoft Web Forms < 7.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Booking System - Reflected Cross-Site Scripting (XSS)
Published
2024-09-10
Title
Elementor Website Builder – More than Just a Page Builder < 3.24.0 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets
Published
2025-01-07
Title
Icons Enricher <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-05-17
Title
Advanced Admin Search < 1.1.6 - Reflected Cross-Site Scripting