CVE-2022-1028: 
WordPress vulnerability analysis and mitigation

The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin (wp-security-pro) before version 4.2.1 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1028. The vulnerability was discovered by Niraj Mahajan and was publicly disclosed on June 6, 2022 (WPScan Advisory).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the 'Advanced Blocking' tab in the 'Block HTTP Referer's' section (NVD, WPScan Advisory).

The vulnerability allows malicious users with administrator privileges to store and execute malicious JavaScript code, particularly in environments where unfiltered_html is disallowed, such as in multisite setups. This can lead to Cross-Site Scripting attacks, potentially compromising the security of the affected WordPress installation (WPScan Advisory).

The vulnerability has been fixed in version 4.2.1 of the WordPress Security plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Advisory).