CVE-2022-2775: 
WordPress vulnerability analysis and mitigation

The Fast Flow WordPress plugin before version 1.2.13 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-2775. The vulnerability was discovered by Hardik Rathod and publicly disclosed on July 31, 2022. This security issue affects the Widget settings functionality within the plugin, specifically impacting WordPress installations using the Fast Flow Dashboard plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of Widget settings in the Fast Flow plugin. The issue has been assigned a CVSS score of 3.4 (low severity) and is classified under CWE-79. The vulnerability specifically affects the HTML widget functionality in the dashboard, where unsanitized input in the Title or Description fields can lead to stored XSS attacks. This vulnerability is particularly notable as it can be exploited even when the unfiltered_html capability is disabled, such as in multisite setups (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. When exploited, the XSS payload becomes active when viewing the Dashboard page at /wp-admin/admin.php?page=fast-flow, potentially affecting other administrative users accessing the dashboard (WPScan).

The vulnerability has been patched in version 1.2.13 of the Fast Flow plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).