Medium severity6.4NVD Advisory· Published Dec 14, 2022· Updated Apr 8, 2026

CVE-2022-4410

Description

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. This makes it possible for attackers to inject arbitrary web scripts on the permalink-manager page if another plugin or theme is installed on the site that allows lower privileged users with unfiltered_html the ability to modify post/page titles with malicious web scripts.

Affected products

Permalink Manager Lite Project/Permalink Manager Lite
cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:wordpress:*:*
Range: <=2.2.20.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatchThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/6cbf9636-9d9d-44d4-b873-8920f2dbb846nvdThird Party Advisory
wpscan.com/vulnerability/004a4516-7704-40df-b939-7a8ceeb7e7denvd
www.wordfence.com/threat-intel/vulnerabilities/id/6cbf9636-9d9d-44d4-b873-8920f2dbb846nvd

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000