CVE-2022-3096

Summary

The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.

Affected Software

VendorProductVersion RangeStatus
UnknownWP Total Hacks4.7.2 <= 4.7.2affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization
  • CWE-79: CWE-79 Cross-Site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References