CVE-2022-4699 – MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode

https://notcve.org/view.php?id=CVE-2022-4699

03 Jan 2023 — The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins. The MediaElement.js – HTML5 Video & Audio Player for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 4.2.8 due to insuf... • https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •