cvedb.io
CVE-2022-0376
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2022-05-30T09:15:08.280 · Last modified 2026-06-17T04:20:29.293

Summary

The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Affected products

user-meta — user_meta_user_profile_builder_and_user_management

Does this affect you?

Add your gear to cvedb and we'll alert you only when user-meta ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.