CVE-2022-1967: 
WordPress vulnerability analysis and mitigation

The WP Championship WordPress plugin versions before 9.3 contains multiple Cross-Site Request Forgery (CSRF) vulnerabilities identified as CVE-2022-1967. The vulnerability was discovered by Daniel Ruf and publicly disclosed on June 16, 2022. This security issue affects the plugin's administrative functions, allowing potential attackers to manipulate plugin settings and perform unauthorized actions (WPScan).

The vulnerability stems from the lack of CSRF protection mechanisms in various plugin functionalities. The issue has a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

When exploited, the vulnerability allows attackers to make a logged-in administrator perform unwanted actions without their knowledge or consent. These actions include creating and deleting arbitrary teams and updating the plugin's settings. Additionally, due to insufficient sanitization and escaping, the vulnerability could lead to Stored Cross-Site Scripting issues (WPScan).

The vulnerability has been fixed in version 9.3 of the WP Championship plugin. Website administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).