CVE-2022-2629 in Top Bar Plugininfo

Summary

by MITRE • 10/11/2022

The Top Bar WordPress plugin before 3.0.4 does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/26/2026

The vulnerability identified as CVE-2022-2629 affects the Top Bar WordPress plugin version 3.0.3 and earlier, representing a critical security flaw that undermines the integrity of web applications built on the WordPress platform. This issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating an exploitable condition that allows malicious actors to inject persistent malicious scripts into web pages. The vulnerability specifically targets the plugin's handling of user-provided settings that are subsequently rendered in frontend pages without proper security measures.

The technical flaw manifests in the plugin's failure to properly sanitize and escape user input data before rendering it in the browser context. This oversight creates a stored cross-site scripting vulnerability where malicious scripts can be permanently embedded within the plugin's settings and subsequently executed whenever affected pages are loaded by unsuspecting users. The vulnerability is particularly concerning because it affects high-privilege users including administrators who possess the capability to modify plugin settings, yet the flaw persists even when WordPress security measures such as the disallowance of unfiltered_html capability are in place. This includes multisite configurations where security restrictions are typically more stringent, making the vulnerability even more dangerous in enterprise environments.

The operational impact of this vulnerability extends beyond simple script injection, potentially enabling attackers to perform session hijacking, defacement of websites, data theft, and privilege escalation attacks. The stored nature of the XSS vulnerability means that once a malicious script is injected, it will persistently affect all users who visit the affected pages until the malicious code is removed from the plugin settings. Attackers can leverage this vulnerability to steal administrator credentials, modify website content, redirect users to malicious sites, or even install backdoors for persistent access to compromised systems. The vulnerability's presence in multisite setups compounds the risk as a single compromised site can potentially affect the entire network of interconnected WordPress installations.

Security professionals should note that this vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in software applications. The attack vector follows patterns consistent with ATT&CK technique T1566 which involves phishing and social engineering to gain initial access to systems, while the persistence mechanism relates to T1078 which covers valid accounts and legitimate credentials for maintaining access. Organizations should immediately update to version 3.0.4 or later of the Top Bar plugin to remediate this vulnerability. Additionally, administrators should conduct thorough audits of all installed plugins to identify similar sanitization issues, implement proper input validation measures, and ensure that security configurations such as the unfiltered_html capability are appropriately managed across multisite environments. Regular security scanning and monitoring of web applications remain essential practices to detect and prevent exploitation of similar vulnerabilities in the broader WordPress ecosystem.

Reservation

08/02/2022

Disclosure

10/11/2022

Moderation

accepted

CPE

ready

EPSS

0.00506

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!