CVE-2022-41980 - Authenticated XSS Vulnerability in Mantenimiento Web Plugin <= .13 for WordPress

In recent years, WordPress has cemented its place as the world’s most popular CMS. But popularity draws attention not only from developers, but also from security researchers and unfortunately, attackers. One such finding is CVE-2022-41980, a vulnerability affecting the Mantenimiento web plugin (all versions up to and including .13). This bug allows an authenticated admin (or higher) user to execute Cross-Site Scripting (XSS) attacks, potentially putting the site and its users at risk.

In this post, we’ll break down what this vulnerability is, how it works, and even explore a working exploit. Everything will be explained in clear, everyday language—enough for you to grasp the core issues, even if you're not a security guru.

What is CVE-2022-41980?

CVE-2022-41980 is a reflected XSS vulnerability in the “Mantenimiento web” plugin for WordPress. The vulnerability exists because the plugin fails to sanitize user-supplied input before displaying it in the admin dashboard. This makes it possible for an authenticated user with admin rights to inject malicious JavaScript code.

Vulnerability Type: Authenticated (Admin+) XSS

> Reference:  
> - WPScan Advisory  
> - NVD CVE-2022-41980  

Why Does It Matter if It’s “Authenticated”?

This is not an “anyone on the internet” type of bug; it requires a logged-in admin user to exploit. However, in the WordPress world, *not all admins are created equal*, and many sites have multiple admins, or even plugins that incorrectly give more users admin-level permissions. Once an XSS is triggered by an admin, it could be used to:

Where’s the Vulnerable Code?

The root of the problem lies in how the plugin handles certain options and displays them on the “Maintenance Mode” settings page. It outputs user-controlled input directly into the page without escaping or sanitizing it.

A snippet from the vulnerable plugin, as of version .13, might look like this (simplified for clarity):

// In a settings page file:
<?php
echo '<input type="text" name="mw_custom_msg" value="' . $_POST['mw_custom_msg'] . '">';
?>

If an admin enters the following as the custom maintenance message

"><script>alert('XSS!')</script>

…this JavaScript will execute in the browser of anyone visiting the settings page.

`

">alert('XSS!')

When the settings page reloads (for you or any other admin), the script executes.

*Screenshot of exploitation (imagine you see an alert box):*

!XSS Exploit Example

Attack Impact in the Real World

- Privilege Escalation: If you have multiple admins, a malicious admin could steal cookies, inject further code, or even create new admin accounts.
- Persistence: Injected scripts could load remote JavaScript (for example, to add a keylogger or load malware).
- Supply-Chain Danger: If your WordPress admin area is shared or managed by a third party (outsourced IT, etc.), the trust relationship could be abused.

Remediation: How to Protect Yourself

1. Upgrade/Disable the plugin. If you don’t need Mantenimiento web, deactivate and remove it.  
2. If you absolutely must use it, check if the author has pushed a fix after version .13. As of now, there is no known fix.

Secure Coding: How Should it Have Been Done?

All output should *escape* and *sanitize* user input, especially when rendering it in HTML!

Using WordPress’s own escaping functions, such as esc_attr, makes things safer. Here’s a fixed version:

// FIXED version for settings page
<?php
echo '<input type="text" name="mw_custom_msg" value="' . esc_attr($_POST['mw_custom_msg']) . '">';
?>

This function would clean up any dangerous characters, neutralizing XSS vectors.

References

- WPScan Advisory for CVE-2022-41980
- NVD CVE-2022-41980 Details
- Mantenimiento web Plugin on WordPress.org

Conclusion

CVE-2022-41980 is a textbook example of how improper handling of user input can introduce serious vulnerabilities—even when only admins can exploit it. If you’re running the Mantenimiento web plugin, update or remove it as soon as possible. Always sanitize and escape anything that might end up in your page’s HTML.

If you found this breakdown useful, consider sharing it with your WordPress colleagues—let’s make the web a little safer, one plugin at a time!

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:50:00 UTC