CVE-2022-4488: 
WordPress vulnerability analysis and mitigation

The Widgets on Pages WordPress plugin before version 1.8.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was publicly disclosed on January 17, 2023, and affects the plugin's shortcode attribute handling functionality. This security issue allows users with contributor-level privileges to potentially execute malicious scripts that could affect high-privilege users such as administrators (WPScan Advisory).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in the page. The issue affects multiple attributes including tiny, id, small, medium, large, and wide. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and required privileges (NVD).

The vulnerability enables attackers with contributor-level access to perform Stored Cross-Site Scripting attacks. These attacks could be leveraged against high-privilege users such as administrators, potentially leading to unauthorized actions being performed with administrative privileges (WPScan Advisory).

The vulnerability has been fixed in version 1.8.0 of the Widgets on Pages plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).