CVE-2022-0898: 
WordPress vulnerability analysis and mitigation

CVE-2022-0898 is a Stored Cross-Site Scripting vulnerability affecting the WordPress plugin IgniteUp versions 3.4.1 and below. The vulnerability was discovered by Kaushalendra Dubey and publicly disclosed on April 13, 2022. The issue exists in the plugin's template customization functionality where certain fields are not properly sanitized and escaped for users with high privileges who don't have the unfiltered_html capability (WPScan, Wordfence).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the stored variety, and is tracked as CWE-79. The CVSS score ranges from 3.4 (low) to 5.5 (medium) according to different assessments. The vulnerability exists in the template customization section of the plugin, specifically in the Paragraph Text or Descriptive Text fields, which can be accessed at /wp-admin/admin.php?page=cscs_templates (WPScan).

When exploited, the vulnerability allows malicious scripts to be stored and executed when either previewing the template or when the 'Enable Coming Soon or Site Offline' general option is enabled and the frontend is accessed. This could potentially lead to unauthorized actions being performed in the context of other users' sessions (WPScan).

As of the last updates, there is no known fix available for this vulnerability. Users of the affected plugin versions should consider implementing additional security measures or potentially disabling the plugin until a patch is released (WPScan).