CVE-2022-1628 MEDIUM

CVE-2022-1628: Simple SEO <= 1.7.91 - Authenticated (Contributor+) Stored Cross-Site Scripting

Vendor Coleds
Product Simple SEO
Weakness CWE-79 · XSS
Published September 6, 2022
Last update January 31, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Simple SEO plugin for WordPress is vulnerable to attribute-based stored Cross-Site Scripting in versions up to, and including 1.7.91, due to insufficient sanitization or escaping on the SEO social and standard title parameters. This can be exploited by authenticated users with Contributor and above permissions to inject arbitrary web scripts into posts/pages that execute whenever an administrator access the page.

Key dates

02Disclosure timeline

September 6, 2022 CVE published
January 31, 2025 Record updated