CVE-2022-4758: 
WordPress vulnerability analysis and mitigation

The 10WebMapBuilder WordPress plugin before version 1.0.72 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4758. The vulnerability was discovered and disclosed on December 29, 2022. The issue affects the plugin's shortcode functionality, where insufficient validation and escaping of shortcode attributes could lead to security risks (WPScan Advisory).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in the page. The CVSS v3.1 base score is 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Cross-Site Scripting. A proof of concept exploit involves using the shortcode format: [GoogleMapsWD map='1' id='" onmouseover="alert(1)" style='] (NVD, WPScan Advisory).

The vulnerability allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks. These attacks could potentially be used against high-privilege users such as administrators, potentially leading to unauthorized actions or data exposure (WPScan Advisory).

The vulnerability has been fixed in version 1.0.72 of the 10WebMapBuilder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).