CVE-2022-3934
published 2022-12-12CVE-2022-3934: The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
0.87%
54.2th percentile
The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mehanoid | flat_pm | <= 2.661 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress FlatPM <3.0.13 - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2022-3934 [MEDIUM] WordPress FlatPM <3.0.13 - Cross-Site Scripting
WordPress FlatPM <3.0.13 - Cross-Site Scripting
WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.
Template:
id: CVE-2022-3934
info:
name: WordPress FlatPM <3.0.13 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cook
No writeups or analysis indexed.
2022-12-12
Published