CVE-2022-3908
Published: 12 December 2022
Summary
CVE-2022-3908 is a medium-severity an unspecified weakness vulnerability in Helloprint Helloprint. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Helloprint WordPress plugin before version 1.4.7 contains a reflected cross-site scripting vulnerability because it fails to sanitize and escape an unspecified parameter before echoing it back into page output. The affected component is the client-facing portion of the plugin running on WordPress sites, rated at CVSS 6.1 with network attack vector, no authentication required, and user-interaction dependency.
An unauthenticated attacker can supply a crafted link or request containing malicious JavaScript; when a victim follows the link the script executes in the victim's browser under the site's origin, enabling limited theft or manipulation of session data and page content within the reflected context.
The referenced WPScan advisory identifies the issue in builds prior to 1.4.7 and indicates that updating to version 1.4.7 or later removes the reflected XSS vector. The EPSS score rose materially from a low baseline to a peak of 0.3365 on 2025-12-11 before receding to the current value of 0.0586, indicating that exploitation interest appeared well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43244
Vulnerability details
The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.