CVE-2022-50970
Received Received - Intake
Reflected XSS in AAWP WordPress Plugin

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-18
NVD
CVE-2022-50970
EUVD
EUVD-2022-55991
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
awpcp aa_wp 3.16
awp wordpress_plugin_aawp to 3.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the reflected cross-site scripting vulnerability in the WordPress Plugin AAWP affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2022-50970 is a reflected cross-site scripting (XSS) vulnerability found in the WordPress Plugin AAWP version 3.16 or earlier.

This vulnerability allows authenticated attackers to inject malicious scripts by manipulating the "tab" parameter on the "aawp-settings" admin page.

Attackers can craft URLs containing XSS payloads in this parameter, which then execute arbitrary JavaScript in the context of authenticated users.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code within the context of authenticated users on your WordPress site.

Such execution can lead to unauthorized actions, theft of sensitive information such as session tokens or cookies, and potentially compromise user accounts.

Because the vulnerability requires authentication, attackers must have some level of access, but once exploited, it can be used to escalate privileges or perform malicious activities.

Detection Guidance

This vulnerability can be detected by testing the 'tab' parameter in the 'aawp-settings' admin page of the WordPress Plugin AAWP for reflected cross-site scripting (XSS) payloads. Authenticated users can attempt to inject JavaScript code via crafted URLs to see if the input is improperly sanitized and executed.

A practical approach is to manually craft URLs with XSS payloads in the 'tab' parameter and observe if the script executes in the browser context of an authenticated user.

Example command using curl to test the vulnerability (replace example.com with your domain and ensure you have valid authentication cookies):

  • curl -b 'wordpress_logged_in=your_auth_cookie' 'https://example.com/wp-admin/admin.php?page=aawp-settings&tab=<script>alert(1)</script>'

If the alert box or script executes, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the 'aawp-settings' admin page to only trusted and necessary authenticated users to reduce the attack surface.
  • Avoid clicking on or visiting suspicious URLs containing the 'tab' parameter with unexpected or untrusted input.
  • Monitor and audit user activity on the WordPress admin area for any unusual behavior or unexpected script execution.
  • Apply updates or patches from the plugin vendor as soon as they become available to fix the vulnerability.

If no patch is available yet, consider temporarily disabling the AAWP plugin or removing it until a fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50970. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart