Wordfence Security – Firewall & Malware Scan <= 7.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting
CVE-2022-3144

4.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Wordfence Security – Firewall, Malware Scan, And Login Security
Vendor: CVE Published:; 23 September 2022

Summary

The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. This makes it possible for authenticated users, with administrative privileges, to inject malicious web scripts into the setting that executes whenever a user accesses a page displaying the affected setting on sites running a vulnerable version.

Affected Version(s)

Wordfence Security – Firewall, Malware Scan, and Login Security * <= 7.6.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wordfence/#developers

https://www.wordfence.com/vulnerability-advisories/#CVE-2...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Sep 23, 2022
Vulnerability Reserved
Sep 6, 2022

Credit

Ori Gabriel