CVE-2022-3149

MEDIUM

WP Custom Cursors < 3.0.1 - Cross-Site Request Forgery and Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Description

The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting

References (1)

Core 1
Core References

Scores

CVSS v3 6.1
EPSS 0.0025
EPSS Percentile 16.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
wp_custom_cursors_project/wp_custom_cursors < 3.0.1
Published Oct 17, 2022
Tracked Since Feb 18, 2026