CVE-2022-4762: 
WordPress vulnerability analysis and mitigation

The Materialis Companion WordPress plugin before version 1.3.40 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4762. The vulnerability was publicly disclosed on January 13, 2023, and affects users with contributor-level access or higher. The issue exists in the plugin's shortcode functionality where certain attributes are not properly validated and escaped before being output on the page (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the Materialis Companion plugin. The CVSS v3 base score is 5.4 (Medium), with an impact score of 2.7 and exploitability score of 2.3. The attack vector is network-based, requires low attack complexity, low privileges, and user interaction. The vulnerability has been classified under CWE-79 (Cross-Site Scripting) and is considered an A7 category in the OWASP Top 10 (AttackerKB).

When exploited, this vulnerability allows attackers with contributor-level access to perform Stored Cross-Site Scripting attacks that could target high-privilege users such as administrators. This could potentially lead to unauthorized actions being performed with administrator privileges when the malicious content is viewed (WPScan).

The vulnerability has been fixed in Materialis Companion version 1.3.40. Users are advised to update to this version or later to mitigate the risk (WPScan).