CVE-2022-3144
Wordfence Security – Firewall & Malware Scan <= 7.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting
CVSS Score
4.4
EPSS Score
0.0%
EPSS Percentile
0th
The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. This makes it possible for authenticated users, with administrative privileges, to inject malicious web scripts into the setting that executes whenever a user accesses a page displaying the affected setting on sites running a vulnerable version.
| CWE | CWE-79 |
| Vendor | mmaunder |
| Product | wordfence security – firewall, malware scan, and login security |
| Published | Sep 23, 2022 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for mmaunder wordfence security – firewall, malware scan, and login security
Be the first to know when new medium vulnerabilities affecting mmaunder wordfence security – firewall, malware scan, and login security are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
mmaunder / Wordfence Security – Firewall, Malware Scan, and Login Security
0 ≤ 7.6.0
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/833eb481-4fb4-432e-8e93-3f497ccbf1eb?source=cve wordpress.org: https://wordpress.org/plugins/wordfence/#developers wordfence.com: https://www.wordfence.com/vulnerability-advisories/#CVE-2022-3144 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2780937%40wordfence&new=2780937%40wordfence&sfp_email=&sfph_mail=
Credits
Ori Gabriel