CVE-2022-1393

CVE-2022-1393: WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting

Vendor Unknown

Product WP Subtitle

Weakness CWE-79 · XSS

Published May 16, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the key: "wps_subtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button (via AJAX) - and this makes the XSS exploitable by authenticated users with a role as low as contributor.

Key dates

02Disclosure timeline

May 16, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1393 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2020-5286 Reflected XSS related in import page in PrestaShop CVE-2026-2506 EM Cost Calculator <= 2.3.1 - Unauthenticated Stored Cross-Site Scripting via 'customer_name' CVE-2023-22684 WordPress Subscribers – Free Web Push Notifications Plugin <= 1.5.3 is vulnerable to Cross Site Scripting (XSS) CVE-2026-42558 Xibo Vulnerable to Stored XSS and Iframe Sandbox Escape via Data Connector Script in DataSet CVE-2019-25092 Nakiami Mellivora Admin Panel user.inc.php print_user_ip_log cross site scripting