CVE-2022-4578: 
WordPress vulnerability analysis and mitigation

The Video Conferencing with Zoom WordPress plugin (versions before 4.0.10) was identified with a stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2022-4578. The vulnerability was discovered in December 2022 and publicly disclosed on December 29, 2022. The issue affects the plugin's shortcode functionality, specifically impacting WordPress installations using vulnerable versions of the Video Conferencing with Zoom plugin (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back to the page. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (NVD, WPScan).

The vulnerability allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. These attacks can be leveraged against high-privilege users such as administrators, potentially leading to unauthorized actions or data exposure when privileged users view the compromised content (WPScan).

The vulnerability has been fixed in version 4.0.10 of the Video Conferencing with Zoom WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).