CVE-2022-1889: 
NixOS vulnerability analysis and mitigation

The Newsletter WordPress plugin before version 7.4.6 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1889. The vulnerability exists due to improper escaping and sanitization of the preheader_text setting, which could allow high-privilege users to perform stored XSS attacks when the unfilteredhtml capability is disallowed (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires high privileges to exploit and user interaction for successful exploitation (NVD).

When successfully exploited, this vulnerability allows high-privilege users to inject and store malicious JavaScript code in the preheader_text setting. When other users view the affected newsletter content, the stored malicious code executes in their browsers, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been patched in version 7.4.6 of the Newsletter WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).