The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2695242 | Patch Third Party Advisory |
https://wpscan.com/vulnerability/59a7a441-7384-4006-89b4-15345f70fabf | Exploit Patch Third Party Advisory |
https://plugins.trac.wordpress.org/changeset/2695242 | Patch Third Party Advisory |
https://wpscan.com/vulnerability/59a7a441-7384-4006-89b4-15345f70fabf | Exploit Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:39
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/changeset/2695242 - Patch, Third Party Advisory | |
References | () https://wpscan.com/vulnerability/59a7a441-7384-4006-89b4-15345f70fabf - Exploit, Patch, Third Party Advisory |
15 Apr 2022, 03:39
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vertistudio:image_optimization_\&_lazy_load_by_optimole:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 4.8 |
References | (MISC) https://wpscan.com/vulnerability/59a7a441-7384-4006-89b4-15345f70fabf - Exploit, Patch, Third Party Advisory | |
References | (CONFIRM) https://plugins.trac.wordpress.org/changeset/2695242 - Patch, Third Party Advisory |
11 Apr 2022, 15:22
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-11 15:15
Updated : 2024-11-21 06:39
NVD link : CVE-2022-0969
Mitre link : CVE-2022-0969
CVE.ORG link : CVE-2022-0969
JSON object : View
Products Affected
vertistudio
- image_optimization_\&_lazy_load_by_optimole
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')