CVE-2022-2936

Name of the Vulnerable Software and Affected Versions Image Hover Effects Ultimate plugin for WordPress versions up to, and including, 9.7.3

Description The issue arises from insufficient input sanitization and output escaping in the Video Link values that can be added to an Image Hover. This allows authenticated attackers to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. By default, only administrators have access to edit Image Hovers, but if the 'Who Can Edit?' setting is modified to allow lower privileged users to access the plugin's features, these users can also exploit the issue.

Recommendations For versions up to, and including, 9.7.3, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the Image Hover editing feature to only high-privileged users, such as administrators, to minimize the risk of exploitation.