CVE-2022-4718: 
WordPress vulnerability analysis and mitigation

The WordPress Landing Page Builder plugin versions below 1.4.9.9 contained a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2022-4718. The vulnerability was discovered and publicly disclosed on December 27, 2022. This security issue affected users with contributor-level privileges or higher who could exploit the plugin's shortcode functionality (Patchstack, WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output on the page. The CVSS score for this vulnerability is 6.3 (Medium severity). The issue specifically involves the plugin's shortcode functionality where malicious scripts could be injected through the shortcode attributes. A proof of concept demonstrates that attackers could exploit this by inserting a malicious shortcode: [pbsamlplenav menuclass="menu-style-1" pblogo_url="invalid' onerror='alert(1)"] (WPScan).

When exploited, this vulnerability allows attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These scripts would be executed when visitors browse the affected pages. The impact is particularly concerning as the injected scripts would run with the privileges of the visiting user, potentially affecting administrative users (Patchstack).

The vulnerability was patched in version 1.4.9.9 of the Landing Page Builder plugin. Site administrators are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).