CVE-2022-0750

Exploit

EPSS 4.36%
Veröffentlicht 23.03.2022 20:15:10
Zuletzt bearbeitet 08.04.2026 18:17:21
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Photoswipe Masonry Gallery <= 1.2.14 Stored Cross-Site Scripting

The Photoswipe Masonry Gallery WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the thumbnail_width, thumbnail_height, max_image_width, and max_image_height parameters  found in the ~/photoswipe-masonry.php file which allows authenticated attackers to inject arbitrary web scripts into galleries created by the plugin and on the PhotoSwipe Options page. This affects versions up to and including 1.2.14.

Mögliche Gegenmaßnahme

Photoswipe Masonry Gallery: Update to version 1.2.15, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Thriveweb ≫ Photoswipe Masonry Gallery SwPlatformwordpress Version < 1.2.15

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Photoswipe Masonry Gallery

Version *-1.2.14

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.36%	0.9

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@wordfence.com	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://wordpress.org/plugins/photoswipe-masonry/

Product

https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerability-patched-in-a-wordpress-photo-gallery-plugin/

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/64624d4c-3ffb-4516-a938-0accde24c79f?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/64624d4c-3ffb-4516-a938-0accde24c79f

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-0750

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-0750

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-0750

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-0750