CVE-2022-1951: 
WordPress vulnerability analysis and mitigation

The Core Plugin for Kitestudio Themes (kitestudio-core) was found to contain a Reflected Cross-Site Scripting vulnerability, identified as CVE-2022-1951. The vulnerability was discovered in versions prior to 2.3.1 and was publicly disclosed on June 15, 2022. The issue affects WordPress installations using the Kitestudio Core plugin when a premium theme from the vendor is active (WPScan).

The vulnerability stems from improper sanitization and escaping of parameters in AJAX action responses. The issue is accessible to both authenticated and unauthenticated users when a premium theme from the vendor is active. The vulnerability has been assigned a CVSS score of 6.1 (Medium) and is classified under CWE-79, falling into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows attackers to execute cross-site scripting attacks through the plugin's AJAX functionality. The impact is particularly significant as it affects both authenticated and unauthenticated users, potentially leading to the execution of malicious JavaScript code in users' browsers (WPScan).

The vulnerability has been patched in version 2.3.1 of the Kitestudio Core plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).