CVE-2022-44629: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Catalyst Connect Zoho CRM Client Portal WordPress plugin versions 2.0.0 and below. The vulnerability was identified on November 2, 2022, and publicly disclosed on June 27, 2023. This security issue affects users with administrator privileges and above in WordPress installations (Patchstack).

The vulnerability occurs because the plugin fails to properly validate and escape certain parameters, potentially allowing privileged users to perform Stored Cross-Site Scripting attacks, even in scenarios where the unfilteredhtml capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 score of 5.9 (Medium) by Patchstack, while NIST assigned a score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, [Patchstack](https://patchstack.com/database/vulnerability/catalyst-connect-client-portal/wordpress-catalyst-connect-zoho-crm-client-portal-plugin-2-0-0-auth-stored-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability could enable malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would execute when visitors access the affected site. The impact is somewhat limited due to the requirement of administrative privileges to exploit the vulnerability (Patchstack).

The vulnerability was fixed in version 2.1.0 of the Catalyst Connect Zoho CRM Client Portal plugin. Users are advised to update to version 2.1.0 or later to remediate the vulnerability. Given that the software may be abandoned, users should consider replacing it with an alternative solution (Patchstack).