CVE-2022-1393: 
WordPress vulnerability analysis and mitigation

The WP Subtitle WordPress plugin before version 3.4.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin adds a subtitle field and provides a shortcode functionality via [wp_subtitle]. The vulnerability was discovered and disclosed on April 25, 2022 (WPScan Advisory).

The vulnerability exists in the subtitle functionality, which is stored as a custom post meta with the key 'wps_subtitle'. While the subtitle is sanitized during post save/update operations, it lacks proper sanitization when updated directly through the post meta update button via AJAX. This oversight makes the XSS vulnerability exploitable by authenticated users with contributor-level privileges or higher. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan Advisory).

When successfully exploited, this vulnerability allows authenticated users with contributor-level access or higher to store and execute malicious JavaScript code that will be executed in other users' browsers when viewing the affected posts. This could lead to session hijacking, credential theft, or other client-side attacks (WPScan Advisory).

The vulnerability has been patched in version 3.4.1 of the WP Subtitle plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan Advisory).