CVE-2022-50970

MEDIUM

WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50970. PoCs published by Andrea Bocchetti.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in the WordPress AAWP plugin (version 3.16) via the 'tab' parameter. The payload is injected into the URL and triggers when accessed by an authenticated user.

Description

WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users.

Exploits (1)

exploitdb WORKING POC
by Andrea Bocchetti · textwebappsphp
https://www.exploit-db.com/exploits/50643

This exploit demonstrates a reflected XSS vulnerability in the WordPress AAWP plugin (version 3.16) via the 'tab' parameter. The payload is injected into the URL and triggers when accessed by an authenticated user.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin AAWP 3.16
Auth required
Prerequisites: Authenticated access to WordPress admin panel · AAWP plugin version 3.16 installed and activated
devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3
Core References
Product product
Official Product Homepage
https://getaawp.com/
Exploit exploit
ExploitDB-50643
https://www.exploit-db.com/exploits/50643
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter
https://www.vulncheck.com/advisories/wordpress-plugin-aawp-reflected-xss-via-tab-parameter

Scores

CVSS v3 5.4
EPSS 0.0017
EPSS Percentile 6.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Getaawp/WordPress Plugin AAWP 3.16
Published May 10, 2026
Tracked Since May 10, 2026