CVE-2022-0684: 
WordPress vulnerability analysis and mitigation

The WP Home Page Menu WordPress plugin before version 3.1 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-0684. The vulnerability was discovered and publicly disclosed on February 21, 2022. This security issue affects the WordPress plugin's settings functionality, specifically impacting installations running versions prior to 3.1 (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings, which allows privileged users such as administrators to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. It is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows authenticated users with high privileges to inject malicious scripts through the plugin's text field settings, such as the 'Home Page Menu Label'. This could lead to stored XSS attacks, potentially affecting other users who access the affected pages (WPScan).

The vulnerability has been fixed in version 3.1 of the WP Home Page Menu plugin. Users are advised to update to this version or later to mitigate the security risk. The fix was implemented through a patch that properly sanitizes and escapes the plugin settings (WordPress Plugins).