CVE-2022-2411: 
WordPress vulnerability analysis and mitigation

The Auto More Tag WordPress plugin through version 4.0.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape some of its settings, which could allow high privilege users such as administrators to perform Stored XSS attacks when the unfiltered_html capability is disallowed, for example in multisite setups. This vulnerability was discovered and disclosed on July 14, 2022, and was assigned CVE-2022-2411 (CVE Details, WPScan).

The vulnerability exists in the plugin's settings functionality, specifically in the 'Custom More Tag Content' settings field. When an administrator inputs malicious JavaScript code in this field, it gets stored in the database without proper sanitization and escaping. The vulnerability has a CVSS score of 3.4 (Low) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N (WPScan).

The vulnerability allows authenticated users with high privileges to store and execute malicious JavaScript code on the website. When the unfiltered_html capability is disallowed, particularly in multisite WordPress installations, this stored XSS can potentially affect other users viewing the compromised content (WPScan).

As of the latest available information, there is no known fix for this vulnerability. Website administrators using the Auto More Tag plugin should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings (WPScan).