Stored Cross-Site Scripting in Image Hover Effects Ultimate Plugin for WordPress
CVE-2022-4207

5.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Image Hover Effects Ultimate (image Gallery, Effects, Lightbox, Comparison Or Magnifier)
Vendor: CVE Published:; 13 December 2022

Summary

The Image Hover Effects Ultimate plugin for WordPress exposes a vulnerability that allows stored cross-site scripting through various values added to Image Hovers in versions 9.8.1 to 9.8.4. This weakness arises from inadequate input sanitization and output escaping, permitting authenticated attackers to inject malicious web scripts into pages. When a user accesses an infected page, the injected scripts execute, potentially compromising user data or site functionality. Although the feature is intended only for admin use, if an admin mistakenly grants lower-privileged users access via the 'Who Can Edit?' setting, it creates an avenue for exploitation.

Affected Version(s)

Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) 9.8.1 <= 9.8.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/MrOxizen/image-hover-effects-ultimate/...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 13, 2022
Vulnerability Reserved
Nov 29, 2022

Credit

Dan Shallom