CVE-2022-4664: 
WordPress vulnerability analysis and mitigation

The Logo Slider WordPress plugin before version 3.6.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4664. The vulnerability was discovered and disclosed on December 16, 2022. The issue affects the plugin's shortcode functionality where certain attributes are not properly validated and escaped before being output on pages or posts (WPScan, NVD).

The vulnerability exists due to improper validation and escaping of shortcode attributes in the Logo Slider plugin. When the shortcode is embedded in a page or post, the unescaped attributes are output directly, enabling stored XSS attacks. The vulnerability has been assigned a CVSS score of 6.8 (medium severity). A proof of concept exploit involves using malicious JavaScript in the shortcode attributes: [logo-slider border='yes' bordercolor='red" onmouseover="alert(1)"'] (WPScan).

The vulnerability allows users with contributor-level access or higher to perform stored Cross-Site Scripting attacks. When successfully exploited, attackers can inject malicious JavaScript code that executes in visitors' browsers when viewing affected pages (WPScan).

The vulnerability has been fixed in Logo Slider version 3.6.0. Site administrators should update to this version or later to protect against this security issue (WPScan).