cbcvebase.
CVE-2022-1221
published 2022-05-23

CVE-2022-1221: The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parameters before outputting them back in attributes, leading to…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.00%
78.3th percentile
The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.

Affected

1 ranges
VendorProductVersion rangeFixed in
gwyn_s_imagemap_selector_projectgwyn_s_imagemap_selector<= 0.3.3

Detection & IOCsextracted from sources · hover to see the quote

  • Reflected XSS in Gwyn's Imagemap Selector WordPress plugin (≤0.3.3): unsanitised parameters are reflected back in HTML attributes — look for XSS payloads in query parameters on pages using this plugin
  • Nuclei-style detection: HTTP response Content-Type header must be text/html and status code 200, with XSS payload (e.g. alert(document.domain)) reflected in the response body
  • ·The CVE affects only plugin versions through 0.3.3; no patch version is confirmed in the sources

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
vendor_cisco6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.