CVE-2022-0706: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads WordPress plugin before version 2.11.6 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-0706. The vulnerability was discovered by Muhamad Hidayat and publicly disclosed on March 28, 2022. The issue affects the plugin's handling of Downloadable File Names in the Logs section, where insufficient sanitization and escaping of input could lead to potential XSS attacks (WPScan).

The vulnerability is classified as a stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 4.8 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring High privileges (PR:H) and User interaction (UI:R). The scope is Changed (S:C) with Low impact on both Confidentiality (C:L) and Integrity (I:L), and No impact on Availability (A:N) (NVD).

The vulnerability allows high-privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who access the Reports > Logs page (WPScan).

The vulnerability has been patched in version 2.11.6 of the Easy Digital Downloads plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).