CVE-2022-50970

Vulnerability

Overview The AAWP WordPress plugin version 3.16 fails to properly sanitize the tab parameter on the plugin's settings page (aawp-settings). This allows a reflected cross-site scripting (XSS) attack where an attacker can inject arbitrary JavaScript code via the tab URL parameter [1][2]. The vulnerability is categorized as CWE-79 and has a CVSS v4 score of 5.4 (Medium) [2].

Exploitation

Details To exploit, an attacker crafts a URL containing a malicious XSS payload in the tab parameter, such as %22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y [3]. This URL, when visited by an authenticated WordPress administrator, triggers the script execution in the context of the victim's browser. The attacker does not need prior authentication, but the victim must have admin-level access to the WordPress site for the payload to execute.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially enabling session hijacking, administrative actions on behalf of the victim, or defacement of the admin interface. Since the attack occurs in the admin panel, the impact is elevated compared to a typical reflected XSS.

Mitigation

The vulnerability affects AAWP plugin versions up to and including 3.16. Users should upgrade to a patched version if available. As of the CVE publication, no official patch has been confirmed, but the vendor page [1] should be monitored for updates. No known workaround has been provided.