CVE-2022-4483: 
WordPress vulnerability analysis and mitigation

The Insert Pages WordPress plugin before version 3.7.5 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4483. The vulnerability was discovered in December 2022 and affects users with contributor-level permissions or higher. The plugin fails to properly validate and escape certain shortcode attributes before rendering them on pages (WPScan, NVD).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin's output functionality. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. An example exploit involves using malicious JavaScript within the shortcode attributes: [insert page="2" class="' onmouseover='alert(1)'"]. The attack requires the page ID to be different from the current page ID (WPScan).

When successfully exploited, this vulnerability allows attackers with contributor-level access to perform stored Cross-Site Scripting attacks. These attacks could potentially target high-privilege users such as administrators, potentially leading to unauthorized actions or data exposure (WPScan).

The vulnerability has been patched in version 3.7.5 of the Insert Pages plugin. Site administrators should update to this version or later to mitigate the risk (WPScan).