CVE-2022-1250: 
WordPress vulnerability analysis and mitigation

The LifterLMS PayPal WordPress plugin before version 1.4.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1250. The vulnerability was discovered and disclosed on April 4, 2022, affecting the payment confirmation functionality of the plugin. The issue exists because the plugin fails to properly sanitize and escape certain parameters from the payment confirmation page before outputting them back to users (WPScan, NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The exploit can be triggered through the payment confirmation page by manipulating specific parameters that are then reflected back to users without proper sanitization (NVD).

When exploited, this vulnerability could allow attackers to execute malicious JavaScript code in victims' browsers within the context of the affected website. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 1.4.0 of the LifterLMS PayPal plugin. Site administrators should update to this version or later to protect against this security issue. The update includes proper sanitization of user input in the LLMSPaymentGatewayPayPal::afterpaymentmethoddetails() function (LifterLMS).