Vulnerability Information Title: Icegram < 2.1.8 - Contributor+ Stored Cross-Site Scripting Description: The plugin does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. Proof of Concept: Create/edit a campaign (such as a Black Friday one), check the "Use Opt-in / Subscription / Lead capture form" settings and put the XSS payload. The XSS will be triggered when viewing/previewing the campaign. Affected Plugin: Icegram (Fixed in 2.1.8) CVE Reference: CVE-2022-1776 Classification: Type: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE: CWE-79 CVSS: 6.8 (medium) Timeline: Publicly Published: 2022-06-01 Added: 2022-06-01 Last Updated: 2023-03-01 Miscellaneous: Original Researcher: Pritam Dash Submitter: Pritam Dash Verified: Yes WPVDB ID: 46ed56db-9b9d-4390-80fc-343a01fcc3c9