CVE-2022-3986: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-3986 affects the WP Stripe Checkout WordPress plugin versions below 1.2.2.21. It is a Stored Cross-Site Scripting (XSS) vulnerability that was discovered and publicly disclosed on November 22, 2022. The vulnerability allows users with contributor-level permissions or higher to perform stored XSS attacks through unvalidated shortcode attributes (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape shortcode attributes before outputting them back in the page. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. The vulnerability can be exploited by injecting malicious JavaScript code through the shortcode attributes, which gets stored and executed when the page is viewed (WPScan).

When exploited, this vulnerability allows attackers with contributor-level access to store and execute malicious JavaScript code that affects users viewing the compromised pages. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks against site visitors (WPScan).

The vulnerability has been fixed in version 1.2.2.21 of the WP Stripe Checkout plugin. Site administrators are advised to update to this version or later to mitigate the risk (WPScan).