CVE-2022-3847: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-3847 affects the WordPress plugin 'Showing URL in QR Code' versions 0.0.1 and below. This security issue was discovered by Kunal Sharma from the University of Kaiserslautern and Daniel Krohmer from Fraunhofer IESE, and was publicly disclosed on November 3, 2022 (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) with a CVSS score of 6.1 (medium severity). The technical issue stems from the plugin's lack of CSRF checks when updating settings, combined with missing sanitization and escaping mechanisms. This vulnerability is categorized under CWE-352 and falls into the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

The vulnerability allows attackers to execute a CSRF attack that could lead to stored XSS payloads being added to the system when a logged-in administrator or editor accesses a specially crafted page. This creates a persistent security risk that could be exploited for various malicious purposes (WPScan).

As of the last update, there is no known fix available for this vulnerability. Users of the affected plugin 'get-site-to-phone-by-qr-code' should consider either removing the plugin or implementing additional security measures at the web application level (WPScan).