CVE-2022-1294: 
WordPress vulnerability analysis and mitigation

The CVE-2022-1294 vulnerability affects the IMDB info box WordPress plugin through version 2.0. The vulnerability was discovered by Fayçal CHENA and was publicly disclosed on May 9, 2022. This security issue involves improper sanitization and escaping of plugin settings, potentially enabling cross-site scripting (XSS) attacks (WPScan Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The technical root cause stems from the plugin's failure to properly sanitize and escape certain settings, even when the unfiltered_html capability is disabled (NVD).

The vulnerability allows high-privileged users to perform Cross-Site Scripting attacks on WordPress installations using the affected plugin. This could potentially lead to the execution of malicious scripts in users' browsers, even in environments where the unfiltered_html capability is explicitly disallowed (WPScan Advisory).

As of the vulnerability disclosure, there is no known fix available for this security issue. Users of the IMDB info box WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to administrative functions (WPScan Advisory).