CVE-2022-3149

CVE-2022-3149: WP Custom Cursors < 3.0.1 - Stored Cross-Site Scripting via CSRF

Vendor Unknown

Product WP Custom Cursors

Weakness CWE-352 · CSRF

Published October 17, 2022

Last update May 14, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting

Key dates

02Disclosure timeline

October 17, 2022 CVE published

May 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-3149 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

04Related CVE

CVE-2024-20252 CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability CVE-2023-51354 WordPress Webba Booking Plugin <= 4.5.33 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2022-25608 WordPress Yoo Slider – Image Slider & Video Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete CVE-2025-39425 WordPress Style Manager plugin <= 2.2.7 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability