CVE-2022-0640: 
WordPress vulnerability analysis and mitigation

The Pricing Table Builder WordPress plugin (AP Pricing Tables Lite) before version 1.1.5 contains a Reflected Cross-Site Scripting vulnerability. The vulnerability was discovered and publicly disclosed on February 28, 2022. The issue affects the plugin's admin page functionality where the postid parameter is not properly sanitized and escaped before being output (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) with a CVSS v3 Base Score of 6.1 (Medium). The attack vector is network-based, with low attack complexity and requires user interaction but no privileges. The vulnerability occurs due to improper sanitization of the postid parameter in the admin page. A proof of concept demonstrates the vulnerability can be exploited via the URL path: wp-admin/admin.php?page=ap-pricing-tables-lite-add-new&postid=1'> (WPScan).

The successful exploitation of this vulnerability could allow attackers to execute arbitrary web scripts or HTML in a user's browser context, potentially leading to theft of sensitive data or manipulation of the web interface. The CVSS metrics indicate low impact on both confidentiality and integrity, with no impact on availability (AttackerKB).

Users should upgrade to version 1.1.5 or later of the AP Pricing Tables Lite plugin to address this vulnerability. The fix was implemented in the WordPress plugin repository through changeset 2684253 (WordPress Plugin).