CVE-2022-50970
Reflected XSS in AAWP WordPress Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awpcp | aa_wp | 3.16 |
| awp | wordpress_plugin_aawp | to 3.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50970 is a reflected cross-site scripting (XSS) vulnerability found in the WordPress Plugin AAWP version 3.16 or earlier.
This vulnerability allows authenticated attackers to inject malicious scripts by manipulating the "tab" parameter on the "aawp-settings" admin page.
Attackers can craft URLs containing XSS payloads in this parameter, which then execute arbitrary JavaScript in the context of authenticated users.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code within the context of authenticated users on your WordPress site.
Such execution can lead to unauthorized actions, theft of sensitive information such as session tokens or cookies, and potentially compromise user accounts.
Because the vulnerability requires authentication, attackers must have some level of access, but once exploited, it can be used to escalate privileges or perform malicious activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'tab' parameter in the 'aawp-settings' admin page of the WordPress Plugin AAWP for reflected cross-site scripting (XSS) payloads. Authenticated users can attempt to inject JavaScript code via crafted URLs to see if the input is improperly sanitized and executed.
A practical approach is to manually craft URLs with XSS payloads in the 'tab' parameter and observe if the script executes in the browser context of an authenticated user.
Example command using curl to test the vulnerability (replace example.com with your domain and ensure you have valid authentication cookies):
- curl -b 'wordpress_logged_in=your_auth_cookie' 'https://example.com/wp-admin/admin.php?page=aawp-settings&tab=<script>alert(1)</script>'
If the alert box or script executes, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict access to the 'aawp-settings' admin page to only trusted and necessary authenticated users to reduce the attack surface.
- Avoid clicking on or visiting suspicious URLs containing the 'tab' parameter with unexpected or untrusted input.
- Monitor and audit user activity on the WordPress admin area for any unusual behavior or unexpected script execution.
- Apply updates or patches from the plugin vendor as soon as they become available to fix the vulnerability.
If no patch is available yet, consider temporarily disabling the AAWP plugin or removing it until a fix is released.