CVE-2022-4464Cross-site Scripting in Portfolio Post

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 51.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themify Portfolio Post
Timeline
PublishedJan 16

Description

Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
Themify Portfolio Post < 1.2.1 - Contributor+ Stored XSS2023-01-16
GHSA
GHSA-237f-7hfc-5r9q: Themify Portfolio Post WordPress plugin before 12023-01-16
CVE-2022-4464 — Cross-site Scripting in Portfolio Post | cvebase