CVE-2022-3350 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Contact Bank – Contact Form Builder plugin for WordPress, specifically version 3.0.30 and earlier. The vulnerability arises because the plugin fails to properly sanitize and escape certain form settings. This flaw allows users with high privileges, such as administrators, to inject malicious scripts into the plugin's stored data. Notably, this vulnerability can be exploited even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which typically restrict the ability to post unfiltered HTML. The attack vector requires a privileged user to perform an action that stores malicious JavaScript code within the form settings, which can then be executed in the context of other users viewing the affected pages or admin interfaces. The CVSS 3.1 score of 4.8 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), high privileges required (PR:H), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity but not availability. Although no known exploits are reported in the wild, the vulnerability poses a risk of session hijacking, privilege escalation, or other malicious actions through script execution in the browser of users who access the infected content. The vulnerability is classified under CWE-79, which is a common and well-understood category of XSS vulnerabilities. The absence of a patch link suggests that users should verify if updates beyond version 3.0.30 have addressed this issue or apply manual mitigations.

For European organizations using WordPress with the Contact Bank plugin, this vulnerability could lead to unauthorized script execution within administrative contexts, potentially compromising the confidentiality and integrity of sensitive data. Since exploitation requires high privileges, the risk is primarily from insider threats or compromised admin accounts. However, successful exploitation could allow attackers to perform actions on behalf of administrators, such as modifying site content, stealing credentials, or injecting further malware. In multisite WordPress setups common in large organizations or service providers, the risk is heightened because the vulnerability bypasses the unfiltered_html capability restriction. This could lead to cross-site attacks affecting multiple sites within a network. The impact on availability is minimal, but the breach of trust and potential data leakage could have regulatory consequences under GDPR, especially if personal data is exposed or manipulated. Additionally, reputational damage and operational disruption could result from such attacks.

European organizations should first verify if their Contact Bank plugin version is 3.0.30 or earlier and upgrade to the latest available version where this vulnerability is patched. If no official patch exists, administrators should consider disabling or removing the plugin until a fix is available. Restricting high privilege user access and enforcing strong authentication and monitoring can reduce the risk of exploitation. Implementing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting WordPress admin interfaces can provide additional protection. Regular security audits and code reviews of plugins, especially those handling user input and stored data, are recommended. In multisite environments, carefully review user roles and capabilities to minimize exposure. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Finally, educating administrators about the risks of injecting untrusted content into form settings can reduce inadvertent exploitation.