CVE-2022-0422
Published: 07 March 2022
Summary
CVE-2022-0422 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Videousermanuals White Label Cms. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The White Label CMS WordPress plugin before version 2.2.9 contains a reflected cross-site scripting vulnerability (CWE-79) in its handling of the wlcms[_login_custom_js] parameter. The plugin fails to sanitize or validate this input before echoing it back in responses during the preview operation, allowing arbitrary JavaScript to be injected into the rendered page. The issue carries a CVSS 3.1 score of 6.1 with network attack vector, no required privileges, and a changed scope.
An unauthenticated attacker can craft a malicious URL containing the unsanitized parameter and deliver it to a victim user. When the recipient interacts with the link, the injected script executes in the context of the affected WordPress site, enabling limited theft or manipulation of data visible to that user session.
The referenced WordPress plugin changeset 2672615 and WPScan advisory document the fix that was released in version 2.2.9; administrators are advised to update the plugin to that release or later to eliminate the reflected output of the unvalidated parameter. The associated EPSS score has remained flat at 0.0841 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15564
Vulnerability details
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.