CVE-2022-27859: 
WordPress vulnerability analysis and mitigation

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered in the Nicdark d.o.o. Travel Management WordPress plugin versions 2.0 and below. The vulnerability was assigned CVE-2022-27859 and was disclosed on June 14, 2022. The plugin allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks due to insufficient sanitization and escaping of certain parameters (Patchstack, WPScan).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It received a CVSS v3.1 base score of 5.4 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a score of 4.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N (NVD).

The vulnerability could allow malicious actors with contributor-level access or higher to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The plugin has been closed since May 6, 2022, due to security issues and is no longer available for download. No official fix was released for this vulnerability. Users are advised to uninstall the plugin and find alternative solutions (WordPress).