CVE-2022-4196: 
WordPress vulnerability analysis and mitigation

The Multi Step Form WordPress plugin (versions before 1.7.8) contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4196. The vulnerability was discovered by researchers zhangyunpei and Yeting Li from VARAS@IIE and was publicly disclosed on December 17, 2022. The issue affects the plugin's form fields, which lack proper sanitization and escaping mechanisms (WPScan).

The vulnerability stems from insufficient sanitization and escaping of form fields in the Multi Step Form plugin. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-Site Scripting) and affects multiple form fields including 'Step Title', 'Step Headline', 'Step description', and 'Sections' (NVD, WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed (for example in multisite setup). When exploited, the XSS payload can be triggered both during form editing and when viewing pages where the affected form is embedded (WPScan).

The vulnerability has been fixed in version 1.7.8 of the Multi Step Form WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).