CVE-2022-3136: 
WordPress vulnerability analysis and mitigation

The Social Rocket WordPress plugin versions before 1.3.3 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-3136. The vulnerability was discovered and publicly disclosed on September 19, 2022. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations where the plugin is active (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow attackers with administrative access to inject malicious JavaScript code into the plugin's settings. This injected code would then be executed in the context of other users' browsers when they access the affected pages, potentially leading to unauthorized data access or manipulation of the WordPress site's content (WPScan).

The vulnerability has been patched in version 1.3.3 of the Social Rocket plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk. If immediate updating is not possible, limiting administrative access and monitoring admin activity can help reduce the risk of exploitation (WPScan).