Cyber Resilience

CVE-2022-4306

MediumPublic PoC

Published: 30 January 2023

Published
30 January 2023
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0333 87.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4306 is a medium-severity an unspecified weakness vulnerability in Panda Pods Repeater Field Project Panda Pods Repeater Field. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Panda Pods Repeater Field WordPress plugin before version 1.5.4 contains a reflected cross-site scripting vulnerability. The plugin fails to sanitize and escape a user-supplied parameter before echoing it back into a page response, allowing script execution in the context of other users. The affected component is a third-party WordPress plugin that extends pod management functionality, and the flaw is reachable by any authenticated user holding at least Contributor privileges.

An attacker with Contributor-level access can craft a malicious link or request that, when visited by a higher-privileged user, executes arbitrary JavaScript in that user’s browser session. Successful exploitation can lead to actions such as account takeover, content manipulation, or theft of sensitive data within the WordPress site, consistent with the reported CVSS 5.4 vector requiring network access, low attack complexity, low privileges, and user interaction.

Advisories published on WPScan recommend updating the plugin to version 1.5.4 or later to remediate the issue. The EPSS score rose from a low baseline to a peak of 0.1283 before receding to the current value of 0.0333, indicating a temporary increase in exploitation interest after disclosure. No evidence of widespread in-the-wild exploitation has been reported.

EU & UK References

Vulnerability details

The Panda Pods Repeater Field WordPress plugin before 1.5.4 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor…

more

permission.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

panda pods repeater field project
panda pods repeater field
≤ 1.5.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References