CVE-2022-2413: 
WordPress vulnerability analysis and mitigation

The Slide Anything WordPress plugin before version 2.3.47 contains a cross-site scripting (XSS) vulnerability identified as CVE-2022-2413. The vulnerability exists due to improper sanitization and escaping of slide titles in admin pages, which allows authenticated users with Author-level privileges or higher to inject malicious JavaScript code into slide titles, even when the unfiltered_html capability is disabled. An incomplete fix was initially attempted in version 2.3.46 (WPScan).

The vulnerability is classified as a stored cross-site scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue allows attackers to create new slides with malicious JavaScript payloads in the title field, which then gets executed whenever the code is embedded (NVD, WPScan).

When exploited, this vulnerability allows authenticated users with Author-level access to inject and execute arbitrary JavaScript code in the context of other users' browsers who access the affected admin pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser session (WPScan).

The vulnerability has been fixed in version 2.3.47 of the Slide Anything WordPress plugin. Users are advised to update to this version or later to protect against this security issue (NVD).