CVE-2022-4663: 
WordPress vulnerability analysis and mitigation

The Members Import plugin for WordPress (versions up to 1.4.2) contains a Self Cross-Site Scripting vulnerability (CVE-2022-4663) discovered and disclosed on January 3, 2023. The vulnerability exists in the user_login parameter when processing imported CSV files, affecting the plugin's input handling functionality (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's CSV import functionality. It has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 5.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE, WPScan).

If successfully exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute when a site administrator uploads a malicious CSV file. This could lead to potential compromise of user data and website functionality (NVD CVE).

No known fix has been reported for this vulnerability as of the latest available information. Website administrators using the affected versions of the Members Import plugin should exercise caution when importing CSV files and consider disabling the plugin until a security update is available (WPScan).