CVE-2022-3904
Published: 16 January 2023
Summary
CVE-2022-3904 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Monsterinsights Monsterinsights. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The MonsterInsights WordPress plugin before version 8.9.1 contains a cross-site scripting flaw (CWE-79) in its handling of the top posts/pages section. The component fails to sanitize or escape page titles that are populated from Google Analytics data, leaving the output rendered directly in the WordPress dashboard or frontend views.
An unauthenticated attacker can exploit the issue by spoofing requests to Google Analytics, supplying malicious payloads inside page titles. Successful injection results in arbitrary script execution in the browsers of users who view the affected reports, with impacts limited to confidentiality and integrity under the supplied CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
The referenced WPScan advisory documents the vulnerability and identifies the fixed release as 8.9.1. The associated EPSS score reached a peak of 0.4132 with a current value of 0.3671.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43240
Vulnerability details
The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.