CVE-2022-4301: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-4301 affects the Sunshine Photo Cart WordPress plugin versions before 2.9.15. The vulnerability was discovered and reported on December 14, 2022, and publicly disclosed on December 15, 2022. The issue stems from the plugin's failure to properly sanitize and escape a parameter before outputting it back in the page (WPScan).

This vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79. It has been assigned a CVSS score of 7.5 (High), indicating significant severity. The vulnerability exists in the user registration functionality where an unsanitized parameter can be exploited through the registration URL. The technical implementation flaw allows for the injection of malicious JavaScript code through the redirect_to parameter (WPScan).

The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the specially crafted URL. This could potentially lead to session hijacking, credential theft, or other client-side attacks against users of the affected WordPress installations (WPScan).

The vulnerability has been fixed in version 2.9.15 of the Sunshine Photo Cart plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk. If immediate updating is not possible, disabling user registration could serve as a temporary workaround (WPScan).