CVE-2022-33978: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress FontMeister plugin versions 1.08 and below. The vulnerability was identified on September 23, 2022, by researcher Nguyen Anh Tien and was assigned CVE-2022-33978. The plugin has been closed due to this security issue and is no longer available for download (Patchstack, WordPress Plugin).

The vulnerability received a CVSS v3.1 score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). It requires no authentication to exploit and can be triggered through user interaction (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts would be executed when visitors access the compromised site (Patchstack).

No official fix is available for this vulnerability. The plugin has been closed since September 23, 2022, and is no longer available for download. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until an official fix becomes available (Patchstack, WordPress Plugin).