CVE CyberSecurity Database News

CVE-2022-3601 - Detailed Look At the Image Hover Effects Css3 WordPress Plugin XSS Vulnerability

Poster -

In WordPress security, we often see vulnerabilities related to plugins. Today, we’re covering CVE-2022-3601, which affects the popular "Image Hover Effects Css3" plugin, versions up to 4.5. This flaw lets high-privilege users—like admins—inject malicious code (JavaScript) into pages. What’s noteworthy? This is possible even if the unfiltered_html capability is *disabled*, such as in WordPress multisite environments.

Below, we’ll break down the vulnerability, show sample code, discuss exploitation, and provide references for further reading.

What Is CVE-2022-3601?

This CVE tracks a Stored Cross-Site Scripting (XSS) vulnerability in the "Image Hover Effects Css3" WordPress plugin (up through version 4.5).

Bug Source: The plugin fails to properly sanitize and escape certain settings.

- Who’s at risk? Any site with high-privilege users (admins, editors) who aren’t allowed direct JavaScript input (e.g., no unfiltered_html).
- Potential Impact: Attackers can inject persistent JavaScript via plugin settings. Other admins who load the plugin page may trigger the script, risking privilege escalation or session theft.

How the Exploit Works

In the admin dashboard, high-privilege users can configure hover effects. Some of those settings, such as button text or image caption, are saved and output on the front end and sometimes in the admin GUI. The plugin didn’t properly sanitize this input, so an attacker could add JavaScript code.

A user can inject a JavaScript payload like the following as an image hover caption

<img src="photo.jpg" alt="My Photo" />
<script>alert('XSS by CVE-2022-3601');</script>

Or, more commonly, inside the settings field

">
<script>alert('CVE-2022-3601 XSS Exploit');</script>
<"

When another user with privileges visits the image hover list or a page where the hover block is embedded, the injected script runs.

`html

">alert('XSS by CVE-2022-3601');

`

4. Save/Update the hover effect.

In the plugin code, you might find something like

echo $_POST['button_text'];

*No sanitization means attackers can insert any HTML or JS here.*

To fix this, developers should use esc_html() or esc_attr()

echo esc_html($_POST['button_text']);

Now, any inserted script tags will just be displayed as text, not run as code.

Real-World Impact

Even though only administrators (or similar) can exploit this, in WordPress Multisite or tightly controlled environments, plugins are expected to honor the unfiltered_html setting. With this bug, an admin on a single site (not superadmin) can still execute JavaScript and potentially hijack sessions or infect dashboards of other privileged users.

Update to the latest version of the plugin. The developer patched the bug in version after 4.5.

- If you can’t update, consider disabling the plugin, or restrict admin access to trusted staff only.

References & Further Reading

- WPScan Advisory: CVE-2022-3601
- NVD Entry for CVE-2022-3601
- WordPress Plugin Page (for updates)
- Original Vulnerability Disclosure

Conclusion

CVE-2022-3601 serves as a reminder that improper input handling—even by trusted, high-privilege users—can still open the door to attacks, especially in shared or restricted environments like multisite. Always keep plugins updated, and double-check that all user input is properly sanitized and escaped before being output.

If you run Image Hover Effects Css3, upgrade now and stay one step ahead of attackers! (And as always, least privilege is your friend.)

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:43:00 UTC