CVE-2022-0271: 
WordPress vulnerability analysis and mitigation

CVE-2022-0271 affects the LearnPress WordPress plugin versions before 4.1.6. The vulnerability was discovered and disclosed on January 18, 2022. The issue exists in the plugin's handling of the lp-dismiss-notice parameter in the lp_background_single_email AJAX action (WPScan, CVE Mitre).

The vulnerability is a Reflected Cross-Site Scripting (XSS) issue that occurs due to improper sanitization and escaping of the lp-dismiss-notice parameter before it is output back via the lp_background_single_email AJAX action. The vulnerability has been assigned a CVSS score of 6.1 (medium) and is classified under CWE-79. A proof of concept exploit involves accessing the URL: https://example.com/wp-admin/admin-ajax.php?action=lp_background_single_email&lp-dismiss-notice=xxx (WPScan).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the specifically crafted URL. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (WPScan).

The vulnerability has been fixed in LearnPress version 4.1.6. Users are advised to update to this version or later to protect against this security issue (WPScan).