CVE-2022-4391: 
WordPress vulnerability analysis and mitigation

The Vision Interactive For WordPress plugin through version 1.5.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on December 16, 2022, and was assigned CVE-2022-4391. This security issue affects WordPress installations using the Vision Interactive plugin versions up to 1.5.3 (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings. The issue allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to inject malicious JavaScript code into WordPress posts through the plugin's shortcode functionality. The injected code executes when other users interact with the affected content, potentially leading to unauthorized actions or data theft in the context of the victim's browser session (WPScan).

The vulnerability has been patched in version 1.5.4 of the Vision Interactive For WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).