CVE-2022-0840
published 2022-04-11CVE-2022-0840: The Easy Social Icons WordPress plugin before 3.2.1 does not properly escape the image_file field when adding a new social icon, allowing high privileged users…
PriorityP419medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.59%
43.7th percentile
The Easy Social Icons WordPress plugin before 3.2.1 does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybernetikz | easy_social_icons | < 3.2.1 | 3.2.1 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
cisa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qp34-j2qv-6pv6: The Easy Social Icons WordPress plugin before 3
ghsa_unreviewed·2022-04-12
CVE-2022-0840 [MEDIUM] CWE-79 GHSA-qp34-j2qv-6pv6: The Easy Social Icons WordPress plugin before 3
The Easy Social Icons WordPress plugin before 3.2.1 does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed.
CISA
Oracle JRE Unspecified Vulnerability
cisa·2022-05-25·CVSS 9.8
CVE-2010-0840 [CRITICAL] Oracle JRE Unspecified Vulnerability
Vulnerability: Oracle JRE Unspecified Vulnerability
Affected: Oracle Java Runtime Environment (JRE)
Unspecified vulnerability in the Java Runtime Environment (JRE) in Java SE component allows remote attackers to affect confidentiality, integrity, and availability via Unknown vectors.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-0840
Remediation Due Date: 2022-06-15
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-11
Published