CVE-2022-4487: 
WordPress vulnerability analysis and mitigation

The Easy Accordion WordPress plugin before version 2.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4487. The vulnerability was discovered and disclosed on December 23, 2022. The plugin fails to properly validate and escape certain shortcode attributes before outputting them back in the page, affecting WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability allows users with privileges as low as contributor to perform Stored Cross-Site Scripting attacks by manipulating shortcode attributes. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. Example exploit vectors include malicious shortcode inputs such as [efaccordion id='"); alert(1); jQuery("'] and [efaccordion id='" onmouseover="alert(1)" style="background:red;width:100px;height:100px;'] (WPScan).

The vulnerability could be exploited to execute arbitrary JavaScript code in the context of other users' browsers, particularly targeting high-privilege users such as administrators. This could potentially lead to unauthorized actions being performed on behalf of the targeted users (WPScan).

The vulnerability has been fixed in Easy Accordion version 2.2.0. Site administrators are advised to update to this version or later to mitigate the security risk (WPScan).