CVE-2022-1436: 
WordPress vulnerability analysis and mitigation

The WPCargo Track & Trace WordPress plugin versions before 6.9.5 contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1436. The vulnerability was discovered and publicly disclosed on April 25, 2022. The issue affects the plugin's tracking functionality where the wpcargotrackingnumber parameter is not properly sanitized and escaped before being output back to the page (WPScan).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79). The CVSS v3.1 base score is 6.1 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue occurs specifically when the wpcargotrackingnumber parameter is processed on pages using the [wpcargo_trackform] shortcode, where the input is reflected back without proper sanitization or escaping (WPScan).

If successfully exploited, this vulnerability allows attackers to perform reflected Cross-Site Scripting attacks. When a malicious payload is injected through the tracking number parameter, it can execute arbitrary JavaScript code in the context of other users' browsers who visit the affected page (WPScan).

The vulnerability has been fixed in version 6.9.5 of the WPCargo Track & Trace plugin. Users are strongly advised to update to this version or later to protect against potential XSS attacks (WPScan).