CVE-2022-45814: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Fabian von Allmen WP Calendar WordPress plugin versions 1.5.3 and below. The vulnerability was publicly disclosed on December 7, 2022, and was assigned CVE-2022-45814. The vulnerability affects users with roles as low as Contributor in WordPress installations using the affected plugin versions (Patchstack, WPScan).

The vulnerability stems from improper sanitization and escaping of certain parameters in the WP Calendar plugin. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Patchstack).

The vulnerability allows authenticated users with Contributor-level access or higher to perform Stored Cross-Site Scripting attacks. This could enable malicious actors to inject harmful scripts that execute when other users visit the affected pages, potentially leading to session hijacking, defacement, or other malicious activities (WPScan).

As of the latest reports, there is no official fix available for this vulnerability. Website administrators using the affected versions of the WP Calendar plugin should consider implementing additional security measures or removing the plugin until a patch is released (Patchstack).