CVE-2022-4626: 
WordPress vulnerability analysis and mitigation

The PPWP WordPress plugin before version 1.8.6 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4626. The vulnerability was discovered in December 2022 and affects the password protection functionality of the plugin. The issue stems from insufficient validation and escaping of shortcode attributes before they are output back in the page (WPScan).

The vulnerability exists due to improper validation and escaping of shortcode attributes in the PPWP WordPress plugin. Users with privileges as low as contributor can exploit this vulnerability by injecting malicious JavaScript code through shortcode attributes. The vulnerability has been assigned a CVSS score of 6.8 (medium severity). A proof of concept exploit involves using the shortcode: [ppwp passwords='pw' class='" onmouseover="alert(1)"']content[/ppwp] (WPScan).

When exploited, this vulnerability allows attackers with contributor-level access to perform Stored Cross-Site Scripting attacks. These attacks can be used to target high-privilege users such as administrators, potentially leading to unauthorized actions being performed in their context (WPScan).

The vulnerability has been patched in PPWP WordPress plugin version 1.8.6. Site administrators should update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).