CVE-2022-4542: 
WordPress vulnerability analysis and mitigation

The Compact WP Audio Player WordPress plugin before version 1.9.8 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists due to improper validation and escaping of shortcode attributes before they are output back in the page. This security issue was assigned CVE-2022-4542 and was publicly disclosed on December 27, 2022 (WPScan).

The vulnerability allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks by exploiting unvalidated shortcode attributes. Specifically, the pause button in the audio player shortcode is vulnerable to XSS. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability could allow attackers to execute malicious JavaScript code in the context of other users' browsers, including high-privilege users such as administrators. This could potentially lead to account compromise or other malicious actions performed with the victim's privileges (WPScan).

The vulnerability has been fixed in version 1.9.8 of the Compact WP Audio Player plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).