CVE-2022-4458

Name of the Vulnerable Software and Affected Versions amr shortcode any widget WordPress plugin versions prior to 4.0

Description The issue concerns the amr shortcode any widget WordPress plugin, where it fails to validate and escape some of its shortcode attributes before outputting them back in the page. This could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins.

Recommendations For versions prior to 4.0, update to a version that includes the necessary validation and escaping of shortcode attributes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting the use of the amr shortcode any widget plugin until a secure version is available.