CVE-2022-1093

low-risk
Published 2022-05-23

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed.

Do I need to act?

-
0.25% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Wp Meta Seo

Affected Vendors

Joomunited

References (2)

Exploit https://wpscan.com/vulnerability/57017050-811e-474d-8256-33d19d4c0553
Exploit https://wpscan.com/vulnerability/57017050-811e-474d-8256-33d19d4c0553
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal