CVE-2022-3137: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-3137 affects the TaskBuilder WordPress plugin versions before 1.0.8. The vulnerability was discovered and publicly disclosed on September 15, 2022. It involves an improper validation and sanitization of task attachments in the plugin, which affects WordPress installations using the vulnerable versions of TaskBuilder (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical nature of the vulnerability lies in the plugin's failure to properly validate and sanitize file attachments, specifically when handling SVG files (NVD).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscribers, to perform Stored Cross-Site Scripting attacks by uploading malicious SVG files. This could potentially lead to the execution of unauthorized JavaScript code in users' browsers and the theft of sensitive information such as cookies (WPScan).

The vulnerability has been fixed in TaskBuilder version 1.0.8. Users are advised to update to this version or later to mitigate the security risk. No alternative workarounds have been publicly documented (WPScan).