CVE-2022-1094: 
WordPress vulnerability analysis and mitigation

The amr users WordPress plugin before version 4.59.4 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on April 4, 2022, and was assigned CVE-2022-1094. The issue affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability exists because the plugin does not properly sanitize and escape some of its settings. This security flaw has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability could allow high privilege users such as administrators to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The XSS payload would be triggered in all backend pages, potentially affecting other administrative users (WPScan).

The vulnerability has been fixed in version 4.59.4 of the amr users plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).