CVE-2022-1152: 
WordPress vulnerability analysis and mitigation

CVE-2022-1152 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WordPress Menubar plugin versions below 5.8. The vulnerability was discovered and publicly disclosed on April 4, 2022, with the last update to the advisory on April 9, 2022. The vulnerability affects authenticated users of WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability stems from improper input validation where the plugin fails to sanitize and escape the 'command' parameter before outputting it back in the response via the menubar AJAX action. This vulnerability has been classified as a Cross-Site Scripting (XSS) issue with a CVSS score of 6.1 (medium severity) and is categorized under CWE-79. The vulnerability is accessible to any authenticated users of the affected WordPress installations (WPScan).

The vulnerability allows authenticated users to execute cross-site scripting attacks against other users of the affected WordPress installations. This could potentially lead to session hijacking, defacement of the website, or other malicious actions performed in the context of the targeted user's browser (WPScan).

The vulnerability has been fixed in version 5.8 of the Menubar plugin. Users are advised to update to this version or later to mitigate the risk. Additionally, ModSecurity commercial rules were released in April 2022 to help protect against this vulnerability (Trustwave).