CVE-2022-4678: 
WordPress vulnerability analysis and mitigation

The TemplatesNext ToolKit WordPress plugin, versions before 3.2.8, contained a vulnerability (CVE-2022-4678) that allowed users with contributor-level access and above to perform Stored Cross-Site Scripting (XSS) attacks. The vulnerability was discovered and publicly disclosed on January 17, 2023 (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape certain shortcode attributes before outputting them back in a page or post where the shortcode is embedded. This could be exploited using malicious JavaScript code in shortcode attributes, such as through the proof of concept: [tx_heading margin='" onmouseover="alert(/XSS/)"']. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified under CWE-79 (WPScan).

The vulnerability allows authenticated users with contributor privileges or higher to inject malicious JavaScript code that executes when other users view the affected page or post. This could lead to various attacks including cookie theft, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been fixed in version 3.2.8 of the TemplatesNext ToolKit plugin. Site administrators should update to this version or later to protect against this vulnerability (WPScan).