CVE-2022-4790 in WP Google My Business Auto Publish Plugin
Summary
by MITRE • 01/23/2023
The WP Google My Business Auto Publish WordPress plugin before 3.4 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/03/2025
The vulnerability identified as CVE-2022-4790 affects the WP Google My Business Auto Publish WordPress plugin version 3.3 and earlier, representing a critical security flaw that undermines the integrity of WordPress sites relying on this plugin. This issue stems from insufficient input validation and output escaping mechanisms within the plugin's shortcode implementation, creating a pathway for malicious actors to inject persistent malicious scripts into the website's content. The vulnerability specifically targets the plugin's shortcode attributes, which are typically used to display Google My Business information within WordPress pages and posts, making it particularly dangerous as it can affect content displayed to all website visitors.
The technical flaw manifests when the plugin fails to properly sanitize user-supplied data within its shortcode attributes, allowing attackers to inject malicious JavaScript code that persists in the database. This stored cross-site scripting vulnerability occurs because the plugin does not adequately validate or escape the input before rendering it in the browser context, enabling attackers to execute arbitrary code in the victim's browser session. The vulnerability's severity is amplified by the fact that it can be exploited by users with relatively low privileges, specifically contributors who typically have limited capabilities within WordPress. This privilege escalation aspect makes the vulnerability particularly concerning as it allows users who should not have the ability to inject malicious code to do so through legitimate plugin functionality, effectively bypassing WordPress's standard permission controls.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform a wide range of malicious activities including session hijacking, data theft, and unauthorized modifications to website content. The stored nature of the XSS attack means that the malicious scripts are permanently embedded in the website's database and will execute every time the affected shortcode is rendered, making it extremely difficult to detect and remove. This persistent threat can compromise user sessions, steal sensitive information from authenticated users, and potentially provide attackers with a foothold for further exploitation within the WordPress environment. The vulnerability also poses risks to the website's reputation and search engine rankings, as malicious scripts could be executed in the context of legitimate website content, potentially triggering security warnings from browsers and search engines.
Mitigation strategies for CVE-2022-4790 primarily involve immediate upgrading to version 3.4 or later of the WP Google My Business Auto Publish plugin, which contains the necessary patches to address the input validation and output escaping deficiencies. Administrators should also implement comprehensive monitoring of their WordPress installations to detect any suspicious activity or unauthorized modifications that might indicate exploitation attempts. Additional defensive measures include restricting user roles and capabilities within WordPress, implementing proper content security policies, and conducting regular security audits of installed plugins to ensure all third-party components are up to date. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and potentially maps to ATT&CK technique T1566 related to phishing with malicious attachments or links, as attackers might leverage this vulnerability to deliver malicious payloads to unsuspecting users. Organizations should also consider implementing web application firewalls and security headers to provide additional layers of protection against similar vulnerabilities in other components of their web infrastructure.