If you’re running a WordPress site that uses the Rock Convert plugin, you need to know about CVE-2022-3441. This security weakness gave attackers with admin access a way to inject malicious scripts (Stored Cross-Site Scripting or XSS) — even if the usual unfiltered_html protection was in place, such as in multisite WordPress setups.
Let’s break it down in everyday language, show some actual offending code, demonstrate how an attacker might use it, and explain how to protect your website.
What is CVE-2022-3441?
CVE-2022-3441 is the identifier for a security bug in Rock Convert, a popular WordPress marketing plugin. The issue exists in all versions before 2.11..
Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Affected Plugin: Rock Convert
Fixed In: Version 2.11.
The flaw? The plugin did not sanitize or escape some settings before saving or displaying them in the WordPress dashboard. If an admin (or anyone with equivalent privileges) added certain scripts, they could get executed inside the browser of *other* admins, editors, or even general users with dashboard access — without needing the risky unfiltered_html privilege that WordPress typically restricts on multisite installations.
The vulnerable code handled plugin settings like this
// An example from the plugin's settings page before version 2.11.:
echo '<input type="text" name="rock_field" value="' . $_POST['rock_field'] . '">';
No escaping or sanitization happens before outputting the input’s value. So if an attacker (with admin rights) submits something evil for rock_field, it just appears *as is* on the settings page.
A malicious admin could input the following as a value for the setting
"><script>alert('XSS!')</script>
The next time any other admin opens the plugin settings page, this injected script runs in their browser — creating a stored XSS attack.
Why This Matters in Multisite
Normally, only admins with the very powerful unfiltered_html capability can use JavaScript in WordPress. But on multisite installs, WordPress removes this from admins for extra safety. Yet, *this vulnerability bypassed that protection*, since the plugin output the fields directly.
`html
">alert('CVE-2022-3441')
Save changes.
6. When any dashboard user loads this settings page in the admin area, a popup appears — but in a real attack, this could allow cookie theft, privilege escalation, or delivering more malware.
Persistence: Once injected, the payload executes for everyone until removed.
- Privilege Escalation: On multisite, admins are not meant to run raw JavaScript, but this bypasses that.
- Multi-admin Sites at Risk: Exactly the use case for WordPress multisite + agency/enterprise sites.
How Was It Fixed?
The plugin maintainers patched this in version 2.11.. They used proper escaping and sanitization functions before displaying user-supplied data, such as:
echo '<input type="text" name="rock_field" value="' . esc_attr( get_option('rock_field') ) . '">';
This prevents arbitrary code from being injected or executed.
Review Settings: Look for suspicious content in your Rock Convert fields.
- Follow Best Practices: Don’t reuse admin accounts, set up activity logs, and stay updated on plugin versions.
Resources & References
- CVE-2022-3441 (WPScan)
- WordPress Plugin Page - Rock Convert
- Patch Diff (GitHub Rock-Content)
- How to Write Secure WordPress Plugins
- WordPress XSS Explained (OWASP)
Final Thoughts
Even if you’re not a developer, understanding how simple mistakes can lead to exposures like CVE-2022-3441 can help you keep your site safer. Make updates regularly and keep an eye on what your plugins are doing “under the hood.”
Timeline
Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 15:53:00 UTC