CVE-2022-3829 in Font Awesome 4 Menus Plugin
Summary
by MITRE • 01/16/2024
The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/20/2025
The vulnerability identified as CVE-2022-3829 affects the Font Awesome 4 Menus WordPress plugin version 4.7.0 and earlier, presenting a critical security risk through stored cross-site scripting flaws. This issue specifically targets the plugin's handling of user settings and configuration data within WordPress environments, creating a pathway for attackers to execute malicious scripts in the context of affected websites. The vulnerability is particularly concerning because it exploits a privilege escalation scenario where high-privilege users such as administrators can bypass standard security restrictions that typically protect against script injection attacks.
The technical flaw stems from inadequate sanitization and escaping of user input within the plugin's settings management system. When administrators configure menu settings through the WordPress admin interface, the plugin fails to properly validate and escape the data before storing it in the database. This allows malicious payloads to be stored persistently within the plugin's configuration, which then gets executed whenever the affected settings are rendered in the frontend or admin interface. The vulnerability specifically affects scenarios where the unfiltered_html capability has been restricted, which is a common security practice in multisite WordPress installations where administrators want to limit the types of HTML content that can be submitted by users.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers with admin-level privileges to potentially compromise entire WordPress installations. In multisite environments where security restrictions are enforced, attackers can leverage this vulnerability to bypass the intended security controls that normally prevent stored XSS attacks. The attack vector is particularly dangerous because it operates within the context of legitimate administrative sessions, making detection more difficult. This vulnerability can be exploited to perform actions such as cookie theft, session hijacking, or redirection to malicious websites, ultimately leading to full compromise of the affected WordPress sites.
The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and demonstrates characteristics consistent with the ATT&CK technique T1059.001 for command and scripting interpreter. Organizations using the affected plugin version should immediately implement mitigations including immediate plugin updates to versions that address the sanitization issues. Additionally, administrators should review and restrict user capabilities within multisite environments to minimize the attack surface, and consider implementing additional security monitoring for unusual administrative activities. The recommended approach includes verifying that all user input is properly escaped and validated before storage, implementing Content Security Policy headers, and maintaining regular security audits of installed plugins to identify similar vulnerabilities across the entire WordPress ecosystem.