CVE-2022-2654: 
WordPress vulnerability analysis and mitigation

CVE-2022-2654 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the Classima WordPress theme before version 2.1.11 and its required plugins: Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20, and Classima Core before 1.10. The vulnerability was discovered and publicly disclosed on August 22, 2022 (WPScan).

The vulnerability occurs because the theme and its required plugins fail to properly escape a parameter before outputting it back in attributes. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers when they interact with specially crafted URLs. The XSS payload is triggered when users move their mouse over the Search field (WPScan).

The vulnerability has been fixed in the following versions: Classima theme version 2.1.11, Classified Listing version 2.2.14, Classified Listing Pro version 2.0.20, Classified Listing Store & Membership version 1.4.20, and Classima Core version 1.10. Users should update to these or later versions to mitigate the vulnerability (WPScan).