CVE-2022-3096: 
WordPress vulnerability analysis and mitigation

The WP Total Hacks WordPress plugin through version 4.7.2 contains a security vulnerability identified as CVE-2022-3096. The vulnerability was discovered and publicly disclosed on October 10, 2022. The issue affects the plugin's access control mechanism, where low privilege users can modify the plugin's settings without proper authorization (WPScan).

The vulnerability stems from improper authorization controls in the WP Total Hacks plugin, allowing users with low-level privileges (such as subscribers) to modify plugin settings. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified under CWE-79 (Cross-site Scripting) and CWE-862 (Missing Authorization) (NVD).

The vulnerability allows low-privilege users such as subscribers to perform Stored Cross-Site Scripting (XSS) attacks against other users, including administrators. This is particularly dangerous as it could lead to the execution of malicious JavaScript code in the context of administrative users due to the lack of proper input sanitization and output escaping (WPScan).

As of the latest reports, there is no known fix available for this vulnerability in the WP Total Hacks plugin. Website administrators using this plugin should consider either removing it or implementing additional security controls to restrict access to the plugin's settings (WPScan).