MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
CVE-2022-3904

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Monsterinsights
Vendor: CVE Published:; 16 January 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 41%

What is CVE-2022-3904?

The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MonsterInsights 0 < 8.9.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-3904 - Proof of Concept

CVE-2022-3904
Created by RandomRobbieBF

References

https://wpscan.com/vulnerability/244d9ef1-335c-4f65-94ad-...

exploitvdb-entrytechnical-description

EPSS Score

41% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Jul 12, 2023
👾
Exploit known to exist
Jul 12, 2023
Vulnerability published
Jan 16, 2023
Vulnerability Reserved
Nov 9, 2022

Credit

Grzegorz Niedziela

WPScan

JSON

Wordpress