CVE-2022-2473 in WP-UserOnline Plugin
Summary
by MITRE • 09/06/2022
The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage][text]' parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative capabilities and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The only affects multi-site installations and installations where unfiltered_html is disabled.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
The WP-UserOnline plugin vulnerability represents a critical stored cross-site scripting flaw that exploits insufficient input sanitization and output escaping mechanisms within WordPress environments. This vulnerability specifically targets the 'templates[browsingpage][text]' parameter, which allows malicious actors to inject persistent malicious scripts into the plugin's configuration system. The flaw exists in versions up to and including 2.87.6, making it a widespread concern for WordPress installations that utilize this particular plugin. The vulnerability's impact is particularly severe because it requires only authenticated access with administrative privileges or higher, meaning that compromised administrator accounts or attackers with elevated permissions can exploit this weakness to execute arbitrary web scripts across affected installations.
The technical execution of this vulnerability occurs through the manipulation of the plugin's template configuration parameters, where user input is not properly sanitized before being stored in the database and subsequently rendered on web pages. When legitimate users access pages containing the maliciously injected scripts, these scripts execute in their browsers, potentially leading to session hijacking, credential theft, or further exploitation of the victim's privileges. This stored XSS vulnerability operates through the WordPress multi-site installation architecture, specifically affecting installations where the unfiltered_html capability has been disabled, which represents a common security hardening practice in enterprise environments. The exploitation requires an attacker to have administrative access or equivalent privileges, but once achieved, the impact extends to all users who view the compromised pages, making it particularly dangerous in multi-user environments.
The operational impact of this vulnerability extends beyond simple script execution to encompass potential data breaches, privilege escalation, and persistent backdoor access within affected WordPress installations. Attackers can leverage this vulnerability to establish long-term access to compromised systems, monitor user activities, and potentially exfiltrate sensitive information from the WordPress environment. The vulnerability affects multi-site installations specifically because the plugin's template handling mechanism operates differently in these environments, creating additional attack vectors that are not present in single-site configurations. Organizations with WordPress installations that have disabled unfiltered_html capabilities are particularly at risk, as this security measure is designed to prevent exactly this type of vulnerability exploitation, yet the flaw still persists due to inadequate input validation within the plugin's codebase. This vulnerability aligns with CWE-79, which classifies cross-site scripting flaws, and represents a specific implementation weakness that could be addressed through proper input sanitization and output escaping techniques.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the stored XSS flaw, combined with network-level monitoring to detect potential exploitation attempts. Organizations should implement strict access controls and privilege management to minimize the risk of unauthorized administrative access, as the vulnerability requires elevated privileges to exploit effectively. Security teams should conduct comprehensive audits of all installed WordPress plugins to identify similar vulnerabilities, particularly in plugins that handle user input through configuration parameters. The implementation of Content Security Policy headers can provide additional defense-in-depth measures to prevent script execution, though this approach is secondary to addressing the root cause through proper plugin updates. Regular security scanning and monitoring of WordPress installations for known vulnerabilities, combined with automated patch management systems, will help prevent exploitation of similar weaknesses in other plugins or core WordPress components. This vulnerability demonstrates the critical importance of maintaining up-to-date third-party plugins and implementing comprehensive security practices that include both perimeter defenses and internal access controls to protect against authenticated attacks that can lead to persistent system compromise.