CVE-2022-4321: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-4321 affects the PDF Generator for WordPress plugin versions before 1.1.2. The vulnerability was discovered and publicly disclosed on January 16, 2023. It involves a reflected Cross-Site Scripting (XSS) vulnerability in a vendored dompdf example file that could potentially be exploited against high-privilege users such as administrators (WPScan, CVE Mitre).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS score of 7.5 (High). It is mapped to CWE-79 and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). The vulnerability exists in a vendored dompdf example file within the plugin's package. A proof of concept demonstrates that the vulnerability can be exploited by making a logged-in admin open a specifically crafted URL targeting the Query.php file with a malicious keyword parameter (WPScan).

The vulnerability could be exploited to execute arbitrary JavaScript code in the context of high-privilege users such as administrators who access the malicious URL. This could potentially lead to unauthorized actions being performed with administrative privileges (WPScan).

The vulnerability has been fixed in version 1.1.2 of the PDF Generator for WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).