CVE-2022-47145: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Blockonomics WordPress Bitcoin Payments plugin, affecting versions 3.5.7 and below. The vulnerability was discovered by Team WeBoB on December 9, 2022, and was assigned CVE-2022-47145. The issue was publicly disclosed on February 14, 2023, by Patchstack (Patchstack Advisory).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 7.1 (High) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, while NIST assigned a score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited without authentication (NVD Database).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts are executed when visitors access the affected site, potentially compromising user security and website integrity (Patchstack Advisory).

The vulnerability was fixed in version 3.5.8 of the Blockonomics WordPress Bitcoin Payments plugin. Users are advised to update to version 3.5.8 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Advisory).