CVE-2022-2374: 
WordPress vulnerability analysis and mitigation

The Simply Schedule Appointments WordPress plugin before version 1.5.7.7 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-2374. The vulnerability was discovered on July 11, 2022, and publicly disclosed on August 8, 2022. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations where the plugin is active (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The issue exists even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The impact is particularly concerning in multisite WordPress installations where even administrators are typically restricted from using unfiltered HTML (WPScan).

The vulnerability has been patched in version 1.5.7.7 of the Simply Schedule Appointments plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).