CVE-2022-0628: 
WordPress vulnerability analysis and mitigation

CVE-2022-0628 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Mega Menu WordPress plugin versions before 3.0.8. The vulnerability was publicly disclosed on February 28, 2022, affecting the AP Mega Menu WordPress plugin. The core issue stems from the plugin's failure to properly sanitize and escape the _wpnonce parameter before outputting it back in an admin page (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue specifically involves the improper handling of the _wpnonce parameter in the admin interface (NVD).

When exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the admin user's browser session. This could potentially lead to unauthorized actions being performed on behalf of the administrator or the theft of sensitive information (WPScan).

The vulnerability has been patched in version 3.0.8 of the AP Mega Menu plugin. Users are strongly advised to update to this version or later to mitigate the risk. The fix was implemented through proper sanitization and escaping of the _wpnonce parameter (WPScan, WordPress).