CVE-2022-4214: 
WordPress vulnerability analysis and mitigation

The WordPress plugin Chained Quiz version 1.3.2 and earlier contains multiple Cross-Site Scripting (XSS) vulnerabilities identified as CVE-2022-4214. The vulnerability was discovered by Muhammad Zeeshan and disclosed on November 24, 2022. The issue affects multiple endpoints in the plugin and is rated with a CVSS Score of 6.1 (Medium) (Wordfence).

The vulnerability stems from improper input sanitization where sanitizetextfield is used instead of esc_attr in multiple files including chained-quiz/controllers/completed.php and chained-quiz/views/completed.html.php. The vulnerability affects multiple endpoints that are accessible to authenticated administrators. When exploited, the XSS payload can be triggered through various parameter inputs in the admin interface (GitHub Gist).

When successfully exploited, the XSS vulnerability can be used to execute arbitrary JavaScript code in the context of an authenticated administrator's browser session. This could potentially lead to the creation of new admin users on the website, effectively compromising the WordPress installation (GitHub Gist).

Website administrators running the affected version of the Chained Quiz plugin should update to a patched version. The vulnerability affects version 1.3.2 and earlier versions of the plugin (Wordfence).