CVE-2022-3904

MEDIUM

MonsterInsights < 8.9.1 - Unauthenticated Stored Cross-Site Scripting via Page Title Spoofing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-3904. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-3904, a stored XSS vulnerability in MonsterInsights WordPress plugin versions below 8.9.1. The exploit uses Selenium to automate browser interactions and sends crafted requests to Google Analytics to inject malicious payloads.

Description

The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.

Exploits (1)

nomisec WORKING POC 3 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2022-3904

This repository contains a functional exploit for CVE-2022-3904, a stored XSS vulnerability in MonsterInsights WordPress plugin versions below 8.9.1. The exploit uses Selenium to automate browser interactions and sends crafted requests to Google Analytics to inject malicious payloads.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: MonsterInsights WordPress plugin < 8.9.1
No auth needed
Prerequisites: Target WordPress site with vulnerable MonsterInsights plugin · Access to Google Analytics for the target site
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/244d9ef1-335c-4f65-94ad-27c0c633f6ad

Scores

CVSS v3 6.1
EPSS 0.0134
EPSS Percentile 67.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
monsterinsights/monsterinsights < 8.9.1
Published Jan 16, 2023
Tracked Since Feb 18, 2026