CVE-2022-1221
Published: 23 May 2022
Summary
CVE-2022-1221 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Gwyn\'S Imagemap Selector Project Gwyn\'S Imagemap Selector. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Gwyn's Imagemap Selector WordPress plugin through version 0.3.3 contains a reflected cross-site scripting vulnerability (CWE-79) because it fails to sanitize or escape certain parameters before echoing them into HTML attributes. The flaw affects any site running the vulnerable plugin and carries a CVSS 3.1 score of 6.1 with network attack vector, low complexity, and no required authentication.
An unauthenticated attacker can craft a malicious URL containing the unsanitized parameters and induce a victim to visit it, resulting in execution of arbitrary script code in the victim's browser under the site's origin. Successful exploitation can lead to limited impacts on confidentiality and integrity, such as theft of session tokens or unauthorized actions performed on behalf of the user.
The primary public reference is the WPScan advisory at the listed URL, which documents the issue and is the source of the vulnerability details.
EPSS for this CVE rose from a low baseline to a peak of 0.2555 on 2025-12-11 before receding to the current value of 0.0325, indicating that exploitation interest emerged well after the 2022 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24559
Vulnerability details
The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.