CVE-2022-1095: 
WordPress vulnerability analysis and mitigation

The Mihdan: No External Links WordPress plugin before version 5.0.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on March 25, 2022, and was publicly disclosed on June 2, 2022. The plugin fails to properly sanitize and escape certain settings, affecting WordPress installations using this plugin (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The flaw exists in the plugin's settings functionality where input validation is insufficient, allowing for the storage and execution of malicious scripts even when the unfiltered_html capability is disabled in multisite setups (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This can lead to the execution of arbitrary JavaScript code in the context of other users' browsers who access the affected pages, potentially compromising the security of the WordPress installation (WPScan).

The vulnerability has been patched in version 5.0.2 of the Mihdan: No External Links WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).