WordPress Plugin Vulnerabilities

0mk Shortener <= 0.2 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
0mk-shortener
No known fix

References

CVE
CVE-2022-45361

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rodrigo Escobar - ipax
Verified
No
WPVDB ID
f689d95a-0eb6-42f9-9498-8e965ee067ea

Timeline

Publicly Published
2023-02-02 (about 3 years ago)
Added
2023-04-24 (about 2 years ago)
Last Updated
2023-04-24 (about 2 years ago)

Other

Published
Title
Published
2024-07-10
Title
Tutor LMS < 2.7.3 - Authenticated (Tutor Instructor+) Stored Cross-Site Scripting
Published
2023-02-20
Title
Video Background < 2.7.5 - Contributor+ Stored XSS via Shortcode
Published
2022-12-02
Title
Chained Quiz < 1.3.2.3 - Admin+ Stored XSS
Published
2024-06-22
Title
Index WP MySQL For Speed < 1.4.18 - Admin+ Reflected XSS
Published
2025-12-04
Title
SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode