WP Home Page Menu <= 3.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability

Administrator

Published
2022-02-20

The WP Home Page Menu WordPress plugin before 3.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE

https://www.cve.org/CVERecord?id=CVE-2022-0684

CVSS

Score:4.8

Severity:Medium

Version: 3.0

There is a patch available in v3.1 and we strongly recommend you update to this version as soon as possible.