CVE-2022-0201

moderate-risk
Published 2022-02-14

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue

Do I need to act?

!
17.9% chance of exploitation in next 30 days
EPSS score — higher than 82% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Permalink Manager Lite

Affected Vendors

Permalink Manager Lite Project Permalink Manager Project

References (4)

Patch https://plugins.trac.wordpress.org/changeset/2656512
Exploit https://wpscan.com/vulnerability/f274b0d8-74bf-43de-9051-29ce36d78ad4
Patch https://plugins.trac.wordpress.org/changeset/2656512
Exploit https://wpscan.com/vulnerability/f274b0d8-74bf-43de-9051-29ce36d78ad4
43
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 13/34 · Low
Exposure 7/34 · Low