CVE-2022-2941 MEDIUM

CVE-2022-2941: WP-UserOnline <= 2.88.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Vendor Gamerz

Product WP-UserOnline

Weakness CWE-79 · XSS

Published September 6, 2022

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Key dates

02Disclosure timeline

September 6, 2022 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-2941 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2022-2941: WP-UserOnline <= 2.88.0 - Authenticated (Admin+) Stored Cross-Site Scripting

01Description

02Disclosure timeline

03References

04Related CVE