CVE-2022-0347: 
WordPress vulnerability analysis and mitigation

CVE-2022-0347 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the LoginPress WordPress plugin versions below 1.5.12. The vulnerability was discovered by Krzysztof Zając and was publicly disclosed on February 14, 2022 (WPScan).

The vulnerability occurs because the plugin fails to properly escape the 'redirect-page' parameter before outputting it back in an attribute. This security flaw is classified as CWE-79 and has been assigned a CVSS score of 6.1 (Medium severity). A proof of concept exploit involves accessing the URL pattern: https://example.com/wp-admin/admin.php?page=loginpress-optin.php&redirect-page="+style=animation-name:rotation;display:block+onanimationstart=alert(/XSS/)+x (WPScan).

The vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers who visit the specially crafted URL. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in LoginPress version 1.5.12. Users are advised to update their LoginPress plugin to this version or later to mitigate the security risk (WPScan).