CVE-2022-4473: 
WordPress vulnerability analysis and mitigation

The Widget Shortcode WordPress plugin through version 0.3.5 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4473. The vulnerability was discovered by István Márton and publicly disclosed on January 17, 2023. This security issue affects the WordPress plugin Widget Shortcode up to and including version 0.3.5 (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape certain shortcode attributes before outputting them back in the page. The CVSS v3.1 base score is rated at 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with impacts on confidentiality and integrity (NVD).

The vulnerability allows users with privileges as low as contributor to perform Stored Cross-Site Scripting attacks that could potentially target high-privilege users such as administrators. This could lead to unauthorized actions being performed in the context of the administrator's session (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the affected plugin should consider either removing it or implementing additional security controls to restrict access to the shortcode functionality (WPScan).