CVE-2022-0381: 
WordPress vulnerability analysis and mitigation

The Embed Swagger WordPress plugin version 1.0.0 and earlier contains a Reflected Cross-Site Scripting vulnerability. The issue was discovered on January 21, 2022, and was assigned CVE-2022-0381. The vulnerability exists due to insufficient escaping/sanitization and validation of the url parameter in the ~/swagger-iframe.php file (WPScan, CVE Mitre).

The vulnerability stems from improper handling of the url parameter in the swagger-iframe.php file. While the code implements URL validation using filtervar with FILTERVALIDATE_URL, it fails to properly escape or encode the output when reflecting the URL in a JavaScript context. The CVSS score for this vulnerability is 6.1 (medium) (WPScan, GitHub PoC).

The vulnerability allows attackers to inject arbitrary web scripts onto the page. If successfully exploited against logged-in administrators or users, the attacker could potentially perform administrative tasks which could lead to Remote Code Execution (GitHub PoC).

There is no known fix for this vulnerability in the plugin. The suggested fix involves either removing the vulnerable code from line 59 in swagger-iframe.php or implementing proper URL encoding for the url parameter (GitHub PoC).