CVE-2022-2935: 
WordPress vulnerability analysis and mitigation

The Image Hover Effects Ultimate plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2022-2935) in versions up to and including 9.7.3. The vulnerability exists in the Media Image URL value that can be added to an Image Hover due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, low privileges, and user interaction (NVD).

The vulnerability allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While the plugin by default only allows administrators to edit Image Hovers, if site administrators configure the 'Who Can Edit?' setting to allow lower privileged users access, these users could exploit the vulnerability (NVD).

The vulnerability has been patched in a newer version of the plugin. Users should update their Image Hover Effects Ultimate plugin to a version newer than 9.7.3 to mitigate this vulnerability (NVD).