CVE-2022-3096

CVE-2022-3096: WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS

Vendor Unknown

Product WP Total Hacks

Weakness CWE-862 · Missing authorization

Published October 31, 2022

Last update May 6, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.

Key dates

02Disclosure timeline

October 31, 2022 CVE published

May 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-3096 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-42651 WordPress Classified Listing plugin <= 5.3.9 - Broken Access Control vulnerability CVE-2023-1335 RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'ucss_connect' CVE-2025-69181 WordPress Lawyer Directory plugin <= 1.3.4 - Broken Access Control vulnerability CVE-2025-2789 MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.19 - Missing Authorization to Unauthenticated Table Rates Deletion CVE-2026-34892 WordPress Rank Math SEO plugin <= 1.0.271 - Broken Access Control vulnerability