CVE-2022-3904


MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics

The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.


We have discovered 163,887 live websites that are affected by CVE-2022-3904.

Contact us to get more info



Affected Software

Product  MonsterInsights
Category Analytics
Vulnerable Versions
  • from 0 before 8.9.1
Total Vulnerable Versions145
Vulnerable Domains163,887 live websites (18.21% of MonsterInsights install base)


Common Weakness Enumeration


CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - Jan 16, 2023

Credits

  • Grzegorz Niedziela (finder)
  • WPScan (coordinator)





Countries

United States51,032 websites


France9,546 websites
Japan9,238 websites
GB8,620 websites
Germany8,410 websites
Italy8,079 websites
Netherlands6,092 websites
Spain5,412 websites
Poland4,876 websites
Canada4,286 websites

TLDs

.com76,929 websites
.org6,921 websites
.it5,232 websites
.co.uk4,972 websites
.nl4,865 websites
.net4,338 websites
.de3,945 websites
.fr3,758 websites
.pl3,739 websites
.com.br3,157 websites

Vulnerable Versions

Vulnerable versions are highlighted in red


References


Websites affected by CVE-2022-3904

Top websites that are affected by CVE-2022-3904. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
************.***.ar Argentina*,***
***.*************.com United States*,***
*****.org United States*,***
****.******.net United States*,***
***.**********.com Ireland**,***
*****.********.**.**.uk GB**,***
********.********.edu United States**,***
***.*****.com United States**,***
********************.com United States**,***
***.************.com United States**,***
See full domain list