CVE-2022-1047: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2022-1047) affects the Themify Post Type Builder Search Addon WordPress plugin versions below 1.4.0. It is a Reflected Cross-Site Scripting (XSS) vulnerability discovered and reported by researchers Kevin Barbón García, David Álvarez Robles, Francisco Díaz-Pache Alonso & Sergio Corral Cristo. The issue was publicly disclosed on April 12, 2022 (WPScan).

The vulnerability occurs because the plugin does not properly escape the current page URL before reusing it in an HTML attribute, which leads to a reflected cross-site scripting vulnerability. The vulnerability has been assigned a CVSS score of 6.1 (medium) and is classified under CWE-79 (Cross-Site Scripting). A proof of concept exists where an attacker can exploit this by adding a malicious URL query parameter to a page or post with a search form (WPScan).

The vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers when they visit a specially crafted URL. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 1.4.0 of the Themify Post Type Builder Search Addon. Users are advised to update to this version or later to mitigate the risk (WPScan).