QwikSec

Security Database

CVE

CWE

Training

CVE-2022-3144

Published: Sep 23, 2022

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

4.4

MEDIUM

Description

The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. This makes it possible for authenticated users, with administrative privileges, to inject malicious web scripts into the setting that executes whenever a user accesses a page displaying the affected setting on sites running a vulnerable version.

Vendor	Product	Versions
mmaunder	Wordfence Security – Firewall, Malware Scan, and Login Security	affected `0 - <= 7.6.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/833eb481-4fb4-432e-8e93-3f497ccbf1eb?source=cve

https://wordpress.org/plugins/wordfence/#developers

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-3144

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2780937%40wordfence&new=2780937%40wordfence&sfp_email=&sfph_mail=

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.