CVE-2022-1396: 
WordPress vulnerability analysis and mitigation

CVE-2022-1396 affects the Donorbox WordPress plugin versions before 7.1.7. The vulnerability was discovered by Hassan Khan Yusufzai (Splint3r7) and was publicly disclosed on March 30, 2022. This security issue involves a Stored Cross-Site Scripting (XSS) vulnerability in the Campaign URL settings functionality (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of the Campaign URL settings before outputting it in an attribute, which leads to a Stored Cross-Site Scripting issue. This vulnerability exists even when the unfiltered_html capability is disallowed. The CVSS v3.1 base score is 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (WPScan, NVD).

When exploited, this vulnerability allows attackers with administrative access to store malicious JavaScript code in the Campaign URL settings. When other users view the affected pages, the stored malicious code executes in their browsers, potentially leading to data theft, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 7.1.7 of the Donorbox WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).