CVE-2022-3391: 
WordPress vulnerability analysis and mitigation

The Retain Live Chat WordPress plugin through version 0.1 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-3391. The vulnerability was discovered by Rahul Selvakumar and publicly disclosed on October 3, 2022. The issue affects the plugin's settings functionality, specifically impacting WordPress installations including multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings. This security flaw has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled. This is particularly concerning in multisite WordPress setups (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the Retain Live Chat WordPress plugin should consider implementing additional security measures or evaluating alternative solutions (WPScan).