CVE-2022-0702: 
WordPress vulnerability analysis and mitigation

The Petfinder Listings WordPress plugin versions before 1.1 contain a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on February 21, 2022 and assigned CVE-2022-0702. The issue affects the plugin's settings functionality where input fields are not properly escaped (WPScan).

The vulnerability exists because the plugin does not properly escape its settings fields, which allows high privilege users such as administrators to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 3.4 (Low) and is classified as CWE-79: Cross-Site Scripting. The issue can be exploited by inserting malicious JavaScript code into text field settings of the plugin, such as the 'Your Petfinder API Key v1.0' field (WPScan).

When successfully exploited, this vulnerability allows authenticated administrators to store and execute malicious JavaScript code in the plugin's settings pages. This could potentially affect other administrative users who access these pages, leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 1.1 of the Petfinder Listings plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).