CVE-2022-0346: 
WordPress vulnerability analysis and mitigation

The XML Sitemap Generator for Google WordPress plugin versions prior to 2.0.4 contains a security vulnerability identified as CVE-2022-0346. The vulnerability was discovered by Krzysztof Zając and was publicly disclosed on May 2, 2022. This security issue affects the WordPress plugin 'www-xml-sitemap-generator-org' and involves improper parameter validation (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS score of 6.1 (Medium). It is categorized under CWE-79 and falls into the OWASP Top 10 category A7: Cross-Site Scripting (XSS). The core issue stems from the plugin's failure to properly validate a parameter that can be set to arbitrary values. This vulnerability can manifest either as an XSS attack through error messages or potentially as Remote Code Execution (RCE) if the PHP setting 'allow_url_include' is enabled (WPScan).

The vulnerability can be exploited to execute cross-site scripting attacks via error messages. In more severe scenarios, if the PHP configuration has 'allow_url_include' enabled, it could potentially lead to remote code execution, allowing attackers to execute arbitrary PHP code on the affected system (WPScan).

The vulnerability has been patched in version 2.0.4 of the XML Sitemap Generator for Google WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).