CVE-2022-1063

CVE-2022-1063: Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting

Vendor Unknown
Product Thank Me Later
Weakness CWE-79 · XSS
Published April 18, 2022
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Key dates

02Disclosure timeline

April 18, 2022 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-23622 WordPress CBX Accounting & Bookkeeping plugin <= 1.3.14 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-0554 Podlove Podcast Publisher <= 4.1.25 - Authenticated (Admin+) Stored Cross-Site Scripting via Feed Name CVE-2025-68499 WordPress JetTabs plugin <= 2.2.12 - Cross Site Scripting (XSS) vulnerability CVE-2023-32740 WordPress Custom 404 Pro Plugin <= 3.8.1 is vulnerable to Cross Site Scripting (XSS) CVE-2024-43720 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)