Description
WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin AAWP 3.16 contains a reflected cross‑site scripting flaw that can be triggered by manipulating the tab parameter on its settings page. Attackers construct URLs that inject malicious JavaScript which will execute in the browsers of authenticated users who visit the admin page. This allows an attacker to run arbitrary scripts with the privileges of the logged‑in user, potentially hijacking accounts, stealing credentials, or distributing malware.

Affected Systems

WordPress Plugin AAWP version 3.16, developed by Getaawp.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. Exploitation requires an authenticated user to access the malicious link, and no active exploits are listed in CISA KEV. The likely attack vector involves a malicious URL sent to a logged‑in administrator, who then unknowingly triggers the XSS payload.

Generated by OpenCVE AI on May 10, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AAWP plugin to the latest version that fixes the reflected XSS bug
  • Ensure that all WordPress installations run the updated plugin and are kept current with other security patches
  • If an immediate update is impossible, restrict access to the aawp-settings admin page and warn users against clicking untrusted URLs

Generated by OpenCVE AI on May 10, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Getaawp
Getaawp wordpress Plugin Aawp
Wordpress
Wordpress wordpress
Vendors & Products Getaawp
Getaawp wordpress Plugin Aawp
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users.
Title WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Getaawp Wordpress Plugin Aawp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T13:38:34.663Z

Reserved: 2026-01-11T13:34:26.334Z

Link: CVE-2022-50970

cve-icon Vulnrichment

Updated: 2026-05-11T13:38:29.786Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:34.993

Modified: 2026-05-10T13:16:34.993

Link: CVE-2022-50970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:40Z

Weaknesses