Beta

Report

Custom TinyMCE Shortcode Button <= 1.1 is vulnerable to Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated
Published
2022-04-18

The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHP_SELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.

CVE

https://www.cve.org/CVERecord?id=CVE-2022-1217

CVSS

Score:4.8

Severity:Medium

Version: 1.1

The plugin vendor has not patched this vulnerability at the moment.