CVE-2022-4760: 
WordPress vulnerability analysis and mitigation

The OneClick Chat to Order WordPress plugin before version 1.0.4.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4760. The vulnerability was discovered and publicly disclosed on December 28, 2022. This security issue affects the WordPress plugin 'oneclick-whatsapp-order' and allows users with contributor-level privileges or higher to perform stored XSS attacks (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in the page. The CVSS score for this vulnerability is 5.4 (Medium), with an attack vector requiring network access, low attack complexity, low privileges required, and user interaction. The vulnerability has been assigned CWE-79 classification for Cross-Site Scripting (AttackerKB).

When exploited, this vulnerability could allow attackers with contributor-level access to execute stored XSS attacks that could target high-privilege users such as administrators. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

The vulnerability has been fixed in version 1.0.4.2 of the OneClick Chat to Order plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).