CVE-2022-0431

Published: Apr 4, 2022Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting

Affected (1)

Products: Insights From Google Pagespeed Project: Insights From Google Pagespeed

Insights From Google Pagespeed Project

1 product

Insights From Google Pagespeed

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Insights From Google Pagespeed Project Insights From Google Pagespeed	Before 4.0.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://plugins.trac.wordpress.org/changeset/2690415

Source: contact@wpscan.com

PatchThird Party Advisory

https://wpscan.com/vulnerability/52bd94df-8816-48fd-8788-38d045eb57ca

Source: contact@wpscan.com

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2690415

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://wpscan.com/vulnerability/52bd94df-8816-48fd-8788-38d045eb57ca

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.