Stored Cross-Site Scripting in Permalink Manager Lite for WordPress
CVE-2022-4410

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Permalink Manager Lite
Vendor: CVE Published:; 14 December 2022

Summary

The Permalink Manager Lite plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate output escaping on various titles, including post, page, and media titles. This vulnerability allows attackers to inject harmful web scripts on the permalink-manager page, particularly if other plugins or themes are present that enable lower-privileged users to modify these titles without appropriate filtering. Site administrators should ensure that their installations are updated to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Permalink Manager Lite * <= 2.2.20.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 14, 2022
Vulnerability Reserved
Dec 11, 2022

Credit

Nicole Sheinin