CVE-2022-4714: 
WordPress vulnerability analysis and mitigation

The WP Dark Mode WordPress plugin before version 4.0.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4714. The vulnerability was discovered and publicly disclosed on January 30, 2023. The issue affects users with roles as low as contributor due to improper validation and escaping of shortcode attributes (WPScan).

The vulnerability stems from insufficient validation and escaping of shortcode attributes in the WP Dark Mode plugin. The issue can be exploited using a malicious shortcode with the following format: [wpdarkmode class='" onmouseover="alert(1)"']. The vulnerability has been assigned a CVSS score of 6.8 (medium) (WPScan).

This vulnerability allows attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages through the plugin's shortcode functionality. When executed, this code runs in the context of other users' browsers who view the affected pages, potentially leading to session hijacking, credential theft, or other malicious actions (WPScan).

The vulnerability has been fixed in WP Dark Mode version 4.0.0. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).