CVE-2022-1093

Name of the Vulnerable Software and Affected Versions WP Meta SEO WordPress plugin versions prior to 4.4.7

Description The issue allows a high privilege user, such as an administrator, to inject arbitrary javascript into the page. This is possible because the breadcrumb separator is not properly sanitised or escaped before being outputted to the page, even when unfiltered html is disallowed.

Recommendations For versions prior to 4.4.7, update to version 4.4.7 or later to resolve the issue. As a temporary workaround, consider restricting the ability to modify the breadcrumb separator to only trusted administrators until a patch is applied.