CVE-2022-0201: 
WordPress vulnerability analysis and mitigation

The Permalink Manager Lite and Pro WordPress plugins before version 2.2.15 contain a Reflected Cross-Site Scripting vulnerability due to improper sanitization and escaping of query parameters in the debug page. The vulnerability was discovered and disclosed in January 2022 (WPScan, NVD).

The vulnerability stems from the failure to properly sanitize and escape query parameters before outputting them back in the debug page. This can be exploited through manipulated URL parameters. The vulnerability has been assigned a CVSS score of 6.1 (medium) and is classified as CWE-79: Cross-Site Scripting. A proof of concept exploit involves accessing a URL with malicious parameters: https://example.com/index.php?p=%3Cimg%20src%20onerror=alert(/XSS/)%3E&debug_url=1 (WPScan).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the manipulated debug page URL. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (WPScan).

The vulnerability has been fixed in version 2.2.15 of both Permalink Manager Lite and Pro plugins. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).