CVE-2022-4207

Name of the Vulnerable Software and Affected Versions Image Hover Effects Ultimate plugin for WordPress versions 9.8.1 through 9.8.4

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in several values that can be added to an Image Hover. This allows authenticated attackers to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. By default, only administrators have access to edit Image Hovers, but if the 'Who Can Edit?' setting is changed to allow lower privileged users to access the plugin's features, these users can also exploit the issue.

Recommendations For versions 9.8.1 through 9.8.4, consider disabling the editing of Image Hovers for lower privileged users by adjusting the 'Who Can Edit?' setting to only allow administrators access until a patch is available. As a temporary workaround, restrict access to the plugin's features to minimize the risk of exploitation. Avoid using the plugin's vulnerable features until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.