CVE-2022-0220: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-0220 affects the WordPress GDPR & CCPA plugin versions prior to 1.9.27. It is an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability that was discovered and publicly disclosed on January 26, 2022. The vulnerability exists in the checkprivacysettings AJAX action of the plugin, which is accessible to both authenticated and unauthenticated users (WPScan).

The vulnerability occurs because the checkprivacysettings AJAX action responds with JSON data without an "application/json" content-type header. Additionally, HTML payloads are not properly escaped, allowing them to be interpreted by web browsers accessing this endpoint. The vulnerability has a CVSS score of 6.1 (medium) and is classified as CWE-79 (Cross-Site Scripting). Due to version 1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users as they all share the same nonce (WPScan).

When successfully exploited, this vulnerability allows attackers to execute JavaScript code in a victim's browser. Since the vulnerability is exploitable against unauthenticated users, it poses a significant risk as it could potentially affect any visitor to the affected website (WPScan).

The vulnerability has been fixed in version 1.9.27 of the WordPress GDPR & CCPA plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).