CVE-2022-4664 — Cross-site Scripting in Logo Slider

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 51.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Logichunt Logo Slider

Timeline

PublishedFeb 6

Description

The Logo Slider WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDlogichunt/logo_slider< 3.6.0

🔴Vulnerability Details

GHSA

GHSA-647w-72c4-73xq: The Logo Slider WordPress plugin before 3↗2023-02-06

▶

CVEList

Logo Slider < 3.6.0 - Contributor+ Stored XSS in Shortcode↗2023-02-06

▶

💥Exploits & PoCs

Exploit-DB

TLR-2005KSH - Arbitrary File Delete↗2022-05-12

▶

Exploit-DB

Zyxel NWA-1100-NH - Command Injection↗2022-04-19

▶