CVE-2022-1435: 
WordPress vulnerability analysis and mitigation

The WPCargo Track & Trace WordPress plugin before version 6.9.5 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on April 25, 2022, and was assigned CVE-2022-1435. The issue affects the plugin's settings functionality where certain parameters are not properly sanitized and escaped (WPScan Advisory).

The vulnerability stems from improper sanitization and escaping of several email-related settings parameters in the plugin. The affected parameters include wpcargomaildomain, wpcargomailsettings, wpcargomailto, wpcargoemailcc, and wpcargoemailbcc. This security flaw exists even when the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD Database).

The vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks. When successfully exploited, it could lead to the execution of arbitrary JavaScript code in the context of other users' browsers who access the affected areas of the WordPress admin panel (WPScan Advisory).

The vulnerability has been fixed in version 6.9.5 of the WPCargo Track & Trace plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).