CVE-2022-1028

State: PUBLISHED · Published: 2022-06-27 · Updated: 2024-08-02 · Assigner: WPScan

Description

The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

CWE

CWE-79 — CWE-79 Cross-site Scripting (XSS)

Affected

Unknown / WordPress Security – Firewall, Malware Scanner, Secure Login and Backup — v=4.2.1 <4.2.1 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/16fc08ec-8476-4f3c-93ea-6a51ed880dd5 x_refsource_MISC

Source

cvelistV5-main/cves/2022/1xxx/CVE-2022-1028.json