Cyber Resilience

CVE-2022-4321

MediumPublic PoC

Published: 06 February 2023

Published
06 February 2023
Modified
26 March 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1207 94.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4321 is a medium-severity an unspecified weakness vulnerability in Wpswings Pdf Generator For Wordpress. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The PDF Generator for WordPress plugin before version 1.1.2 is affected by a reflected cross-site scripting vulnerability stemming from an included vendored dompdf example file. The flaw carries a CVSS 3.1 score of 6.1 and can be triggered over the network with low attack complexity against users who interact with a malicious link.

An unauthenticated attacker can craft a reflected XSS payload that executes in the context of a high-privilege user such as an administrator, resulting in limited impacts to confidentiality and integrity within a changed scope.

Advisories published by WPScan identify the issue in the plugin and indicate that the vulnerability is resolved by updating to version 1.1.2 or later. The associated EPSS score has remained in the 0.12 range with only minor variation between its current and peak values.

EU & UK References

Vulnerability details

The PDF Generator for WordPress plugin before 1.1.2 includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpswings
pdf generator for wordpress
≤ 1.1.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References