CVE-2022-4699

Source
https://cve.org/CVERecord?id=CVE-2022-4699
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4699.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-4699
Published
2023-01-30T20:31:47.064Z
Modified
2026-07-08T06:03:24.561654935Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode
Details

The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "4.2.8"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "4.2.8"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/4xxx/CVE-2022-4699.json",
    "cna_assigner": "WPScan"
}
References

Affected packages

Git / github.com/mediaelement/mediaelement

Affected ranges

Type
GIT
Repo
https://github.com/mediaelement/mediaelement
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:mediaelementjs:mediaelement.js:*:*:*:*:*:wordpress:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.8"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.12.0
2.13.0
2.13.1
2.13.2
2.14.0
2.15.0
2.15.1
2.16.0
2.16.1
2.16.2
2.16.3
2.16.4
2.17.0
2.18.0
2.18.1
2.18.2
2.19.0
2.20.0
2.20.1
2.21.0
2.21.1
2.21.2
2.22.0
2.22.1
2.23.0
2.23.1
2.23.2
2.23.3
2.23.4
2.23.5
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4699.json"