CVE-2022-4210: 
WordPress vulnerability analysis and mitigation

The WordPress plugin Chained Quiz version 1.3.2 and earlier contains multiple Cross-Site Scripting (XSS) vulnerabilities identified as CVE-2022-4210. The vulnerability was discovered by Muhammad Zeeshan and disclosed on November 24, 2022. The issue stems from insufficient input sanitization and output escaping in multiple endpoints of the plugin (GitHub Gist, NVD).

The vulnerability has been assigned a CVSS score of 6.1 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The core issue lies in the plugin's use of sanitizetextfield where esc_attr should have been implemented. Multiple endpoints are affected, including files in the chained-quiz/controllers/completed.php and chained-quiz/views/completed.html.php paths (Wordfence Advisory, GitHub Gist).

When exploited, the vulnerability allows unauthenticated attackers to inject arbitrary web scripts. For authenticated administrators who visit a maliciously crafted URL, the XSS payload can be triggered, potentially leading to the creation of unauthorized admin users on the website (NVD, GitHub Gist).

Website administrators running the affected versions of the Chained Quiz plugin should update to a patched version as soon as possible. If immediate updating is not possible, considering disabling the plugin until a security update can be applied (Wordfence Advisory).