CVE-2022-4712: 
WordPress vulnerability analysis and mitigation

The WP Cerber Security plugin for WordPress contained a stored cross-site scripting (XSS) vulnerability in versions up to and including 9.1. The vulnerability was tracked as CVE-2022-4712 and was discovered by researcher Ramuel Gall. The issue was publicly disclosed on April 19, 2023 and fixed in version 9.2 of the plugin (WPScan).

The vulnerability exists in the login functionality where the plugin fails to properly sanitize and escape the log parameter when logging login attempts. This allows attackers to inject malicious JavaScript code that gets stored in the activity logs and executes when an admin user views the WP Cerber Dashboard > Activity section. The vulnerability received a CVSS score of 8.8 (High) and is classified as CWE-79: Cross-Site Scripting (WPScan).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an affected page. When triggered, the malicious code runs in the context of the victim's browser session, potentially allowing attackers to steal sensitive information or perform actions on behalf of the user (NVD).

The vulnerability has been patched in WP Cerber Security version 9.2. Site administrators should update to this version or later to protect against this security issue (WPScan).