CVE-2022-40699: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in the Dario Curvino Yasr – Yet Another Stars Rating WordPress plugin versions 3.1.2 and below. The vulnerability was reported on October 18, 2022, and publicly disclosed on March 3, 2023. This security issue affects the WordPress plugin, which is used for implementing rating functionality on WordPress websites (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin failed to properly sanitize and escape certain parameters, leading to potential XSS attacks. The vulnerability has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. Users with privileges as low as Subscriber could potentially perform Stored Cross-Site Scripting attacks (WPScan, Patchstack).

The vulnerability has been fixed in version 3.1.3 of the Yet Another Stars Rating plugin. Website administrators are advised to update to version 3.1.3 or later to remove the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).