CVE-2022-4751 — Vulnetix

Try Vulnetix Request Demo

CVE-2022-4751 PUBLISHED CVSS 5.400000095367432 MEDIUM

The Word Balloon WordPress plugin before 4.19.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

EPSS 0.27% · 50.3th percentile

Risk Scores

CVSS v3.1

5.400000095367432

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Score

0.27%

50.3th percentile

Affected Products

Vendor	Product	Versions
back2nature	word_balloon	0
Unknown	Word Balloon	0

Timeline

Jan 23, 2023 CVE Published
Jan 24, 2023 EPSS Score
Mar 5, 2023 EPSS Score
Mar 7, 2023 EPSS Score
May 23, 2023 EPSS Score
Jul 2, 2023 EPSS Score
Aug 11, 2023 EPSS Score
Sep 20, 2023 EPSS Score
Oct 30, 2023 EPSS Score
Dec 9, 2023 EPSS Score
Feb 26, 2024 EPSS Score
Apr 6, 2024 EPSS Score

References

https://wpscan.com/vulnerability/dd5cc04a-042d-402a-ab7a-96aff3d57478 exploit
https://www.debian.org/lts/security/2022/dla-3244 advisory
https://www.debian.org/lts/security/2022/dla-3245 advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-4751 advisory

Open in Interactive Console →