CVE-2022-4486

Meteor Slides < 1.5.7 - Contributor+ Stored XSS

The Meteor Slides WordPress plugin before 1.5.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

We have discovered 4 live websites that are affected by CVE-2022-4486.

Affected Software


Product	Meteor Slides
Category	Wordpress Plugins
Vulnerable Versions	from 0 before 1.5.7
Total Vulnerable Versions	31
Vulnerable Domains	4 live websites (5.97% of Meteor Slides install base)

Common Weakness Enumeration

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Distribution by Website Rank

The diagram provides a graphic representation of the correlation between the occurrence of CVE-2022-4486 and the relative popularity of websites

Available Reports

Website List

Details

Published - Jan 16, 2023
Updated - Feb 20, 2023

Credits

Lana Codes (finder)
WPScan (coordinator)

CWE

CWE-79

CVE References

CWE References

cwe.mitre.org

Countries

United States	3 websites

Germany	1 websites

TLDs

.com	2 websites
.de	1 websites
.org	1 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Geographical Distribution

The distribution of websites across the globe that are exposed to CVE-2022-4486 through included software libraries and plugins.

References

https://wpscan.com/vulnerability/d0afd17c-09cd-4ab5-95a5-6ac8c3c0a50b

Websites affected by CVE-2022-4486

Top websites that are affected by CVE-2022-4486. Please click on the "Contact us" button above to get more information.

Domain	Country	Rank
*.******.com	United States	*,*
**************.de	Germany	,,*
*****************.com	United States	,,*
*.*********.org	United States	,,*

See full domain list