CVE-2022-0448

MEDIUM

CP Blocks < 1.0.15 - Authenticated Stored Cross-Site Scripting via License ID Setting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-0448. PoCs published by Shweta Mahajan.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in WordPress Plugin CP Blocks 1.0.14. The exploit involves injecting a JavaScript payload into the 'License ID' field, which gets stored in the database and executed when triggered.

Description

The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Exploits (1)

exploitdb WRITEUP

by Shweta Mahajan · textwebappsphp

https://www.exploit-db.com/exploits/50724

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in WordPress Plugin CP Blocks 1.0.14. The exploit involves injecting a JavaScript payload into the 'License ID' field, which gets stored in the database and executed when triggered.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin CP Blocks 1.0.14

Auth required

Prerequisites: WordPress installation · CP Blocks plugin version 1.0.14 installed and activated · Access to the CP Blocks - License section

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/d4ff63ee-28e6-486e-9aa7-c878b97f707c

Scores

CVSS v3 4.8

EPSS 0.0575

EPSS Percentile 92.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

dwbooster/cp_blocks < 1.0.15

Published Mar 07, 2022

Tracked Since Feb 18, 2026