CVE-2022-1089: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-1089 affects the Bulk Edit and Create User Profiles WordPress plugin versions before 1.5.14. The vulnerability was discovered and publicly disclosed on April 19, 2022, by security researcher Ankur Bakre. This security flaw involves improper sanitization and escaping of Users Login functionality in the WordPress plugin (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from the plugin's failure to properly sanitize and escape the Users Login field, allowing for the injection of malicious scripts (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed. This could potentially lead to the execution of unauthorized scripts in users' browsers when viewing the affected pages (WPScan).

The vulnerability has been fixed in version 1.5.14 of the Bulk Edit and Create User Profiles WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).