The Simple SEO plugin for WordPress is vulnerable to attribute-based stored Cross-Site Scripting in versions up to, and including 1.7.91, due to insufficient sanitization or escaping on the SEO social and standard title parameters. This can be exploited by authenticated users with Contributor and above permissions to inject arbitrary web scripts into posts/pages that execute whenever an administrator access the page.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2754807%40cds-simple-seo&new=2754807%40cds-simple-seo&sfp_email=&sfph_mail= | Patch Third Party Advisory |
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1628 | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2022-09-06 18:15
Updated : 2024-02-28 19:29
NVD link : CVE-2022-1628
Mitre link : CVE-2022-1628
CVE.ORG link : CVE-2022-1628
JSON object : View
Products Affected
coleds
- simple_seo
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')