CVE-2022-0426: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-0426 affects the Product Feed PRO for WooCommerce WordPress plugin versions before 11.2.3. This Reflected Cross-Site Scripting (XSS) vulnerability was discovered and publicly disclosed on February 1, 2022. The issue exists in the plugin's handling of the rowCount parameter in the wooseacategoriesdropdown AJAX action, which is accessible to any authenticated user (WPScan).

The vulnerability stems from improper input validation where the plugin fails to properly escape the rowCount parameter before outputting it back in an attribute through the wooseacategoriesdropdown AJAX action. This vulnerability has been classified as CWE-79 (Cross-Site Scripting) with a CVSS score of 6.1 (medium severity). The vulnerability was discovered by security researcher Krzysztof Zając (WPScan).

The vulnerability allows authenticated users to perform Reflected Cross-Site Scripting attacks against other users of the website. This could potentially lead to the execution of malicious scripts in users' browsers, potentially compromising user sessions or stealing sensitive information (CVE Mitre).

The vulnerability has been fixed in version 11.2.3 of the Product Feed PRO for WooCommerce plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WordPress Plugins).