CVE-2022-1549: 
WordPress vulnerability analysis and mitigation

The WP Athletics WordPress plugin version 1.1.7 and below contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1549. The vulnerability was discovered by Wejdan Alomari and publicly disclosed on May 17, 2022. The issue affects the plugin's race result submission functionality, where subscriber-level users and above can exploit the vulnerability (WPScan).

The vulnerability stems from improper input sanitization where the plugin fails to properly sanitize parameters before storing them in the database and does not escape the values when outputting them back in the admin dashboard. This vulnerability has been assigned a CVSS score of 8.0 (High) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability specifically affects the Event Name field in the race result submission form (WPScan).

When successfully exploited, this vulnerability allows an attacker with subscriber-level access to store malicious JavaScript code in the database, which is then executed when an administrator views the results in the admin dashboard at /wp-admin/admin.php?page=wp-athletics-manage-results. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

As of the last update, there is no known fix available for this vulnerability in the WP Athletics plugin. Website administrators using this plugin should consider either removing it or implementing additional security controls to restrict access to the race result submission functionality (WPScan).