CVE-2022-4751 — Vulnetix

CVE-2022-4751 PUBLISHED CVSS 5.400000095367432 MEDIUM

The Word Balloon WordPress plugin before 4.19.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

EPSS 0.27% · 50.7th percentile

Risk Scores

CVSS 3.1

5.400000095367432

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Score

0.27%

50.7th percentile

Affected Products

Vendor	Product	Versions
back2nature	word_balloon	0
Unknown	Word Balloon	0

Exploit Intelligence

https://wpscan.com/vulnerability/dd5cc04a-042d-402a-ab7a-96aff3d57478 (cve.org)

Timeline

Jan 23, 2023 CVE Published
Jan 24, 2023 EPSS Score
Mar 5, 2023 EPSS Score
Mar 7, 2023 EPSS Score
May 25, 2023 EPSS Score
Jul 5, 2023 EPSS Score
Aug 14, 2023 EPSS Score
Sep 23, 2023 EPSS Score
Nov 3, 2023 EPSS Score
Dec 13, 2023 EPSS Score
Mar 3, 2024 EPSS Score
Apr 13, 2024 EPSS Score

References

https://wpscan.com/vulnerability/dd5cc04a-042d-402a-ab7a-96aff3d57478 exploit
https://www.debian.org/lts/security/2022/dla-3244 advisory
https://www.debian.org/lts/security/2022/dla-3245 advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-4751 advisory

Open in Interactive Console →