CVE-2022-4211: 
WordPress vulnerability analysis and mitigation

The Chained Quiz plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2022-4211) in versions up to and including 1.3.2. The vulnerability exists due to insufficient input sanitization and output escaping in the 'emailf' parameter on the 'chainedquiz_list' page (CVE Details).

The vulnerability stems from improper input validation where sanitizetextfield is used instead of esc_attr for parameter handling. Multiple endpoints in the plugin are affected, particularly in files like chained-quiz/controllers/completed.php and chained-quiz/views/completed.html.php. The CVSS score is 6.1 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Wordfence Advisory).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. When exploited against an admin user, the XSS can potentially be leveraged to add a new admin user to the website (GitHub PoC).

Users are advised to update the Chained Quiz plugin to a version newer than 1.3.2, which contains the security fixes for this vulnerability (CVE Details).