CVE-2022-1028

Name of the Vulnerable Software and Affected Versions WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin versions prior to 4.2.1

Description The issue allows malicious users with administrator privileges to store malicious Javascript code, leading to Cross-Site Scripting attacks when unfiltered html is disallowed, such as in a multisite setup. This occurs due to the plugin's failure to properly sanitise and escape some of its settings.

Recommendations For versions prior to 4.2.1, update to version 4.2.1 or later to resolve the issue. As a temporary workaround, consider restricting administrator privileges to trusted users only until the update is applied.