CVE-2022-4260: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was identified in the WP-Ban WordPress plugin versions below 1.69.1, tracked as CVE-2022-4260. The vulnerability was discovered and publicly disclosed on December 6, 2022. The issue affects the plugin's settings functionality, specifically impacting WordPress installations using the WP-Ban plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.4 (low severity) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

When exploited, this vulnerability allows attackers with administrative access to inject malicious JavaScript code through the plugin's settings, specifically in the 'Banned Referrers' and 'Banned Message' fields. The injected code would then be executed when other users trigger the ban conditions (WPScan).

The vulnerability has been patched in WP-Ban version 1.69.1. Website administrators are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).