CVE-2022-1218: 
WordPress vulnerability analysis and mitigation

The Domain Replace WordPress plugin through version 1.3.8 contains a Reflected Cross-Site Scripting vulnerability (CVE-2022-1218). The vulnerability was discovered and publicly disclosed on April 26, 2022. The issue affects the plugin's admin page functionality (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in an attribute in an admin page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

This vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the specially crafted URL. Since the vulnerability exists in an admin page, successful exploitation could potentially lead to administrative actions being performed without the administrator's consent (WPScan).

As of the vulnerability disclosure, there is no known fix available for this issue. Users of the Domain Replace WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to the admin pages (WPScan).