CVE-2022-1217: 
WordPress vulnerability analysis and mitigation

The Custom TinyMCE Shortcode Button WordPress plugin through version 1.1 contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1217. The vulnerability was discovered and publicly disclosed on April 19, 2022. The issue affects the plugin's admin page functionality where the PHP_SELF variable is not properly sanitized and escaped before being output (CVE Details, WPScan).

The vulnerability stems from improper input validation where the PHP_SELF variable is output without sanitization in an attribute within an admin page. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) and is classified as CWE-79. A proof of concept exploit involves accessing the URL pattern: https://example.com/wp-admin/options-general.php/"%3E%3Csvg/onload=alert(/xss/)%3E?page=stscb-page-elements (WPScan).

The vulnerability allows attackers to execute cross-site scripting attacks through the admin page of WordPress installations using the affected plugin. This could potentially lead to unauthorized actions being performed in the context of the authenticated administrator session (WPScan).

As of the last update, there is no known fix available for this vulnerability. Users of the Custom TinyMCE Shortcode Button WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to the affected admin pages (WPScan).