CVE-2022-36378: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-36378 is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability affecting the PluginlySpeaking Floating Div WordPress plugin versions 3.0 and below. The vulnerability was discovered and disclosed on July 29, 2022, requiring an author or higher user role for exploitation (Patchstack Report).

The vulnerability stems from the plugin's failure to properly sanitize and escape certain parameters, which could allow users with author-level privileges or higher to perform Cross-Site Scripting attacks. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. It is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Report).

As of July 29, 2022, the plugin has been closed and is no longer available for download due to this security issue. No official fix has been released for this vulnerability (WordPress Plugin).