CVE-2022-0376

CVE-2022-0376: User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting

Vendor Unknown

Product User Meta – User Profile Builder and User management plugin

Weakness CWE-79 · XSS

Published May 30, 2022

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Key dates

02Disclosure timeline

May 30, 2022 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-0376 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-12037 Frontend Content Forms for User Submissions (UGC) <= 2.8.13 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-3068 Custom Field Suite <= 2.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2025-13525 WP Directory Kit <= 1.4.5 - Reflected Cross-Site Scripting via 'order_by' Parameter CVE-2024-4663 OSM Map Widget for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter CVE-2026-50231 Lyrion Music Server 9.2.0 Unauthenticated Stored XSS via server.log