CVE-2022-2936: 
WordPress vulnerability analysis and mitigation

The Image Hover Effects Ultimate plugin for WordPress (versions up to 9.7.3) contains a Stored Cross-Site Scripting vulnerability (CVE-2022-2936) that affects the Video Link values feature. The vulnerability was discovered and reported by Zhouyuan Yang, with a CVSS score of 6.4 (Medium) (Wordfence).

The vulnerability stems from insufficient input sanitization and output escaping in the Video Link values that can be added to an Image Hover. The technical assessment shows a CVSS 3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. While the plugin typically restricts access to administrators, if site admins configure the 'Who Can Edit?' setting to include lower-privileged users, these users can also exploit the vulnerability (NVD).

A patch has been released to address this vulnerability. Users should update their Image Hover Effects Ultimate plugin to a version newer than 9.7.3 to mitigate this security risk (NVD).