CVE-2022-36282: 
WordPress vulnerability analysis and mitigation

CVE-2022-36282 is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability affecting Roman Pronskiy's Search Exclude WordPress plugin versions 1.2.6 and below. The vulnerability was discovered and reported on August 22, 2022 (Patchstack Report).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly lower CVSS score of 4.8 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability could allow a malicious actor with editor or higher privileges to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Report).

The vulnerability has been patched in version 1.2.7 of the Search Exclude plugin. Users are recommended to update to version 1.2.7 or later to remove the vulnerability (WordPress Plugin, Patchstack Report).