CVE-2022-2941: 
WordPress vulnerability analysis and mitigation

The WP-UserOnline WordPress plugin versions up to and including 2.88.0 contains multiple Stored Cross-Site Scripting (XSS) vulnerabilities. The issue was discovered in the 'Naming Conventions' section where user input is not properly sanitized or escaped on output. The vulnerability was assigned CVE-2022-2941 and was disclosed on August 22, 2022 (CVE Details).

The vulnerability exists due to improper input validation and output escaping in the 'Naming Conventions' section of the plugin. All fields in this section fail to properly sanitize user input and do not escape it when outputting the data. This creates an opportunity for stored XSS attacks. The vulnerability has been assigned a CVSS score of 3.4 (Low) (WPScan).

This vulnerability allows authenticated attackers with administrative privileges to inject JavaScript code into the settings that will execute whenever a user accesses the injected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (CVE Details).

The vulnerability has been patched in version 2.88.1 of the WP-UserOnline plugin. Users are advised to update to this version or later to protect against this security issue. The fix includes proper sanitization and escaping of user input in the affected fields (GitHub Commit).