CVE-2022-0431

The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
WPScanCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
insights_from_google_pagespeed_projectinsights_from_google_pagespeed
𝑥
< 4.0.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/changeset/2690415
https://wpscan.com/vulnerability/52bd94df-8816-48fd-8788-38d045eb57ca
https://plugins.trac.wordpress.org/changeset/2690415
https://wpscan.com/vulnerability/52bd94df-8816-48fd-8788-38d045eb57ca