CVE-2022-44594: 
WordPress vulnerability analysis and mitigation

CVE-2022-44594 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Codebangers All in One Time Clock Lite WordPress plugin versions 1.3.320 and below. The vulnerability was discovered by Hoang Van Hiep (sk4rl1ghT) and was reported on October 31, 2022, with public disclosure occurring on November 30, 2022 (Patchstack Report).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that requires administrator privileges to exploit. It has been assigned a CVSS v3.1 base score of 4.8 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires high privileges, needs user interaction, can change scope, and can impact both confidentiality and integrity with no effect on availability (Patchstack Report).

The vulnerability could allow a malicious actor with administrative access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Report).

The vulnerability has been fixed in version 1.3.321 of the All in One Time Clock Lite plugin. Users are advised to update to version 1.3.321 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack Report).