CVE-2022-0402: 
WordPress vulnerability analysis and mitigation

CVE-2022-0402 affects the Super Forms - Drag & Drop Form Builder WordPress plugin versions before 6.0.4. The vulnerability was discovered in January 2022 and involves an unescaped parameter 'bob_czy_panstwa_sprawa_zostala_rozwiazana' in the super_language_switcher AJAX action. The vulnerability affects WordPress installations using the Super Forms plugin (NVD, WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper output escaping in the AJAX action 'super_language_switcher'. The vulnerability is compounded by a lack of CSRF protection, which makes it easier for attackers to exploit against any user (NVD, WPScan).

The vulnerability allows attackers to execute cross-site scripting attacks against users. Due to the lack of CSRF protection, the attack can be more easily performed against any user of the system. The combination of XSS and missing CSRF protection could lead to unauthorized actions and potential data exposure (WPScan).

The vulnerability was patched in version 6.0.4 of the Super Forms plugin. Users should update to this version or later to mitigate the risk. The fix includes proper parameter escaping and improved request validation through a custom nonce system (GitHub Patch).