CVE-2022-4973

WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

We have discovered 595,948 live websites that are affected by CVE-2022-4973.

Run a Free Instant Scan



Affected Software

Product  WordPress
Category Content Management System
Vulnerable Domains595,948 live websites (6.89% of WordPress install base)
Vulnerable Versions
  • from 0 through 3.6.1
  • from 3.7 through 3.7.38
  • from 3.8 through 3.8.38
  • from 3.9 through 3.9.36
  • from 4 through 4.0.35
  • from 4.1 through 4.1.35
  • from 4.2 through 4.2.32
  • from 4.3 through 4.3.28
  • from 4.4 through 4.4.27
  • from 4.5 through 4.5.26
  • from 4.6 through 4.6.23
  • from 4.7 through 4.7.23
  • from 4.8 through 4.8.19
  • from 4.9 through 4.9.20
  • from 5 through 5.0.16
  • from 5.1 through 5.1.13
  • from 5.2 through 5.2.15
  • from 5.3 through 5.3.12
  • from 5.4 through 5.4.10
  • from 5.5 through 5.5.9
  • from 5.6 through 5.6.8
  • from 5.7 through 5.7.6
  • from 5.8 through 5.8.4
  • from 5.9 through 5.9.3
  • from 6 through 6.0.1
Vulnerable Versions Count436 versions ( 66% of all versions)


Common Weakness Enumeration

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - Oct 16, 2024
  • Updated - Oct 16, 2024

Credits

  • John Blackbourn (finder)

Website Distribution by Country

Number of websites using CVE-2022-4973
United States127,462 websites


Italy68,670 websites
Japan41,260 websites
Germany40,743 websites
Russia34,222 websites
GB26,672 websites
Poland24,081 websites
France22,273 websites
Netherlands18,693 websites
Spain12,358 websites

Website Distribution by TLD

Number of websites using CVE-2022-4973
.com215,795 websites
.it44,945 websites
.ru29,240 websites
.org24,502 websites
.de19,900 websites
.net19,054 websites
.pl17,530 websites
.co.uk15,006 websites
.nl13,977 websites
.jp9,641 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2022-4973

Top websites that are affected by CVE-2022-4973. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
****.br Brazil***
*****.net China***
*********.com United States***
*********.net United States***
*****.com United States*,***
************.com United States*,***
**********.com United States*,***
****.com United States*,***
*******.com United States*,***
************.org United States*,***
See full domain list

FAQ

CVE-2022-4973 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WordPress
A total of 595,948 websites have been identified as vulnerable to CVE-2022-4973, based on global website indexing conducted by WebTechSurvey.
The WordPress is affected by the CVE-2022-4973 vulnerability.
WordPress versions up to and including 6.0.1 are vulnerable to CVE-2022-4973.