CVE-2022-3128: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-3128 affects the Donation Thermometer WordPress plugin versions before 2.1.3. The vulnerability was discovered and publicly disclosed on September 7, 2022, by security researcher Asif Nawaz Minhas (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to properly sanitize and escape certain settings, particularly in the Currency settings section. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The XSS payload can be triggered when accessing the settings page or in frontend pages where the [thermometer] shortcode is embedded (WPScan).

The vulnerability has been fixed in version 2.1.3 of the Donation Thermometer plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).