CVE-2022-0230: 
WordPress vulnerability analysis and mitigation

The Better WordPress Google XML Sitemaps WordPress plugin through version 1.4.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on February 16, 2022, and was assigned CVE-2022-0230. The issue affects the plugin's log functionality in the admin dashboard (WPScan).

The vulnerability exists because the plugin fails to properly sanitize and escape its logs when outputting them in the admin dashboard. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

This vulnerability allows unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators. When successfully exploited, the attacker can execute arbitrary JavaScript code in the context of the admin user's browser session when they view the log dashboard (WPScan).

As of the latest available information, there is no known fix for this vulnerability in the Better WordPress Google XML Sitemaps plugin. Site administrators using affected versions (1.4.1 and below) should consider either removing the plugin or implementing additional security controls to restrict access to the affected functionality (WPScan).