CVE-2022-29425: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in WP Wham's Checkout Files Upload for WooCommerce plugin versions 2.1.2 and earlier for WordPress. The vulnerability was disclosed on May 4, 2022, and was assigned identifier CVE-2022-29425. This security issue affects the WordPress plugin that allows customers to upload files during or after WooCommerce checkout process (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The issue specifically involves improper escaping of filenames on order confirmation/thank you pages (WordPress Plugin).

If exploited, this XSS vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The vulnerability requires user interaction to be exploited but does not require authentication (Patchstack).

The vulnerability was patched in version 2.1.3 of the plugin, released on May 10, 2022. Users are strongly advised to update to version 2.1.3 or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (WordPress Plugin, Patchstack).