CVE-2022-4699

The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins.

Published: Jan 30, 2023
Updated: Apr 14, 2023
CVE: CVE-2022-4699
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mediaelementjs / mediaelement.js	-	4.2.8.x

https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9

Vulnerability Database

290,206

CVE-2022-4699