CVE-2022-4752: 
WordPress vulnerability analysis and mitigation

The Opening Hours WordPress plugin through version 2.3.0 contains a stored Cross-Site Scripting (XSS) vulnerability that affects users with contributor role and above. The vulnerability was discovered in December 2022 and publicly disclosed on January 25, 2023. The issue exists in the plugin's shortcode functionality, which fails to properly validate and escape certain attributes (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in pages or posts where the shortcode is embedded. The issue has been assigned a CVSS score of 6.8 (Medium) and is classified under CWE-79: Cross-Site Scripting. The vulnerability can be exploited through the 'op-is-open' shortcode by manipulating attributes such as 'classes' to inject malicious JavaScript code (WPScan).

When successfully exploited, this vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This means malicious actors could inject and store harmful JavaScript code that would execute when other users view the affected pages (WPScan).

As of the vulnerability disclosure, no official fix has been released for this security issue. Users of the Opening Hours plugin version 2.3.0 or lower should consider either removing the plugin or implementing additional security controls to restrict access to shortcode usage (WPScan).