CVE-2022-1336: 
WordPress vulnerability analysis and mitigation

The Carousel CK WordPress plugin through version 1.1.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The issue was discovered by Fayçal CHENA and publicly disclosed on May 18, 2022. The vulnerability exists because the plugin fails to properly sanitize and escape Slide's descriptions, potentially allowing high-privileged users such as administrators to perform Cross-Site Scripting attacks when unfiltered_html is disallowed (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically categorized under CWE-79. It has been assigned a CVSS score of 3.4 (low severity). The technical issue stems from the plugin's failure to implement proper input sanitization and output escaping for the Slide's description field. This security weakness becomes exploitable when the unfiltered_html capability is disabled for administrative users (WPScan).

The vulnerability allows high-privileged users such as administrators to inject and execute malicious JavaScript code in the context of other users' browsers when they view pages containing the affected carousel. The XSS payload gets triggered when users view any page or post where the compromised Carousel is embedded (WPScan).

As of the latest reports, there is no known fix available for this vulnerability in the Carousel CK WordPress plugin (WPScan).