CVE-2022-41990: 
WordPress vulnerability analysis and mitigation

The WordPress 3D Tag Cloud plugin version 3.8 and earlier contains a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored Cross-Site Scripting (XSS). The vulnerability was discovered and disclosed on October 27, 2022, and was assigned CVE-2022-41990. This security issue affects all versions of the 3D Tag Cloud plugin up to and including version 3.8 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue is classified under CWE-352 (Cross-Site Request Forgery). The vulnerability allows an unauthenticated attacker to perform CSRF attacks that can lead to stored XSS (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. This combination of CSRF and stored XSS could potentially lead to unauthorized actions and injection of malicious scripts into the affected WordPress sites (Patchstack).

As of the vulnerability disclosure, no official fix has been made available for this security issue. Given the low severity impact, virtual patching has been deemed unnecessary (Patchstack).