CVE-2022-4698: 
WordPress vulnerability analysis and mitigation

The ProfilePress WordPress plugin (versions up to 4.5.0) was identified with a Stored Cross-Site Scripting vulnerability (CVE-2022-4698), discovered and disclosed on December 23, 2022. The vulnerability affects multi-site installations and installations where unfiltered_html has been disabled, specifically impacting the form fields functionality within the plugin (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in several form fields. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 5.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-site Scripting) (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation (NVD).

The vulnerability has been patched in ProfilePress version 4.5.1. Users are advised to update their installations to this version or later to mitigate the risk (WPScan).