CVE-2022-0150: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-0150 affects the WP Accessibility Helper (WAH) WordPress plugin versions before 0.6.0.7. The issue was discovered by Krzysztof Zając and was publicly disclosed on January 26, 2022. This security flaw involves a Reflected Cross-Site Scripting (XSS) vulnerability in the plugin's handling of the 'wahi' parameter (WPScan).

The vulnerability stems from improper sanitization and escaping of the 'wahi' parameter. When this parameter is processed, the plugin decodes its base64 value and outputs it directly in the page without proper security measures. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-79. A proof of concept exploit can be demonstrated using the URL pattern: https://example.com/?wahi=JzthbGVydCgxKTsvLw== (WPScan).

The vulnerability allows attackers to execute cross-site scripting attacks through the affected parameter. This could potentially lead to the execution of malicious JavaScript code in users' browsers who visit specially crafted URLs (CVE Mitre).

The vulnerability has been fixed in version 0.6.0.7 of the WP Accessibility Helper plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan, WordPress Plugins).