CVE-2022-0189: 
WordPress vulnerability analysis and mitigation

CVE-2022-0189 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the WP RSS Aggregator WordPress plugin versions below 4.20. The vulnerability was publicly disclosed on January 26, 2022, and was discovered by security researcher Krzysztof Zając (WPScan).

The vulnerability exists because the plugin fails to properly sanitize and escape the 'id' parameter in the wprssfetchitemsrowaction AJAX action before outputting it back in the response. This security flaw has been assigned a CVSS score of 6.1 (Medium) and is classified under CWE-79. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers who visit the affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the authenticated user's session (WPScan).

The vulnerability has been fixed in WP RSS Aggregator version 4.20. Users are advised to update their installations to this version or later to mitigate the risk (WPScan, WordPress Trac).