CVE-2022-1618: 
WordPress vulnerability analysis and mitigation

The Coru LFMember WordPress plugin through version 1.0.2 contains a Cross-Site Request Forgery (CSRF) vulnerability combined with a Stored Cross-Site Scripting (XSS) issue. The vulnerability was publicly disclosed on April 26, 2022, and was assigned CVE-2022-1618. The vulnerability affects the plugin's functionality related to adding new games, where it lacks proper CSRF protection and input sanitization (WPScan).

The vulnerability stems from two main security issues: the absence of CSRF checks when adding new games and insufficient sanitization and escaping in the plugin's settings. This combination allows attackers to manipulate a logged-in administrator into adding arbitrary games containing XSS payloads. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-352 (WPScan).

The vulnerability allows attackers to execute stored cross-site scripting attacks through CSRF. An attacker could potentially trick an authenticated administrator into adding malicious game entries containing XSS payloads, which could then be executed in the context of other users' browsers when they view the affected pages (WPScan).

No known fix has been released for this vulnerability as of the last update. Users of the Coru LFMember plugin version 1.0.2 or earlier should consider either removing the plugin or implementing additional security controls to prevent unauthorized access to the plugin's administrative functions (WPScan).