CVE-2022-0620: 
WordPress vulnerability analysis and mitigation

CVE-2022-0620 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin Delete Old Orders versions 0.2 and below. The vulnerability was discovered and publicly disclosed on March 1, 2022. The issue exists because the plugin fails to properly sanitize and escape the date parameter before outputting it back in an admin page (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS score of 6.1 (Medium severity) and is tracked under CWE-79. The vulnerability can be exploited through the date parameter in the admin page URL. A proof of concept demonstrates the vulnerability can be triggered via the path: wp-admin/admin.php?page=woo-delete-old-orders&step=3&date="> (WPScan).

The vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the admin page. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the authenticated administrator's session (WPScan).

As of the last update, there is no known fix available for this vulnerability. Users are advised to either disable the plugin or implement additional security controls to restrict access to the affected admin pages (WPScan).