Title: Multiple Cross-Site Scripting on ProcessWire
CVE ID: CVE-2022-40487
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Advisory Release Date: 06 April 2023
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-40487/
Credits: Discovery by Filipe Azevedo (filipaze) <fa[at]integrity.pt> & Guilherme Santos (rondons) <gs[at]integrity.pt>
ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.