CVE-2022-46817: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2022-46817) is an Authenticated (Admin+) Stored Cross-Site Scripting (XSS) vulnerability affecting the Flyzoo Chat WordPress plugin versions 2.3.3 and earlier. The vulnerability was discovered by researcher Justiice and was publicly disclosed on April 19, 2023 (Patchstack, WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape certain settings, which could enable high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in scenarios where the unfiltered_html capability is disallowed (such as in multisite setups). The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a slightly higher score of 5.9 (Medium) (NVD).

The vulnerability allows malicious actors with administrative access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack).

As of the latest reports, there is no official fix available for this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).