CVE-2022-4321
Published: 06 February 2023
Summary
CVE-2022-4321 is a medium-severity an unspecified weakness vulnerability in Wpswings Pdf Generator For Wordpress. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The PDF Generator for WordPress plugin before version 1.1.2 is affected by a reflected cross-site scripting vulnerability stemming from an included vendored dompdf example file. The flaw carries a CVSS 3.1 score of 6.1 and can be triggered over the network with low attack complexity against users who interact with a malicious link.
An unauthenticated attacker can craft a reflected XSS payload that executes in the context of a high-privilege user such as an administrator, resulting in limited impacts to confidentiality and integrity within a changed scope.
Advisories published by WPScan identify the issue in the plugin and indicate that the vulnerability is resolved by updating to version 1.1.2 or later. The associated EPSS score has remained in the 0.12 range with only minor variation between its current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51674
Vulnerability details
The PDF Generator for WordPress plugin before 1.1.2 includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.