CVE-2022-2169: 
WordPress vulnerability analysis and mitigation

The Loading Page with Loading Screen WordPress plugin before version 1.0.83 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-2169. The vulnerability was discovered and reported by Nikhil Kapoor, and was publicly disclosed on June 23, 2022. The issue affects the plugin's settings functionality, specifically impacting WordPress installations using this plugin (WPScan).

The vulnerability stems from improper input validation where the plugin fails to escape its settings, allowing high privilege users such as administrators to perform cross-site scripting attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. It is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated users with high privileges to inject malicious JavaScript code into the plugin's settings. This can lead to stored cross-site scripting attacks that could potentially affect other users accessing the affected pages, even when the unfiltered_html capability is disabled (WPScan).

The vulnerability has been fixed in version 1.0.83 of the Loading Page with Loading Screen plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).