CVE-2022-1990: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-1990 affects the Nested Pages WordPress plugin versions before 3.1.21. The issue was discovered and publicly disclosed on June 6, 2022. This security flaw involves improper escaping and sanitization of certain plugin settings, potentially enabling stored Cross-Site Scripting (XSS) attacks by users with high privileges when the unfiltered_html capability is disabled (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It received a CVSS score of 3.4 (low severity). The technical issue stems from the plugin's failure to properly escape and sanitize some of its settings, specifically in the "Menu Name" settings area. A proof of concept demonstrates that an attacker can inject malicious JavaScript code using the payload '"onmouseover=alert("XSS")//' in the Menu Name settings (WPScan).

The vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disabled. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who access the affected areas of the WordPress admin panel (WPScan).

The vulnerability has been fixed in version 3.1.21 of the Nested Pages WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).