The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the nm_vistior page.
History

Tue, 01 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Nitinmaurya
Nitinmaurya wordpress Visitors
CPEs cpe:2.3:a:nitinmaurya:wordpress_visitors:*:*:*:*:*:wordpress:*:*
Vendors & Products Nitinmaurya
Nitinmaurya wordpress Visitors

Thu, 26 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Nitinmaurya12
Nitinmaurya12 wordpress Visitors
CPEs cpe:2.3:a:nitinmaurya12:wordpress_visitors:*:*:*:*:*:*:*:*
Vendors & Products Nitinmaurya12
Nitinmaurya12 wordpress Visitors
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 26 Sep 2024 09:45:00 +0000

Type Values Removed Values Added
Description The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the nm_vistior page.
Title WordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP Header
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-26T09:29:43.280Z

Updated: 2024-09-26T13:28:37.408Z

Reserved: 2022-12-16T02:26:52.976Z

Link: CVE-2022-4541

cve-icon Vulnrichment

Updated: 2024-09-26T13:28:19.704Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-26T10:15:02.437

Modified: 2024-10-01T13:46:08.473

Link: CVE-2022-4541

cve-icon Redhat

No data.