CVE-2022-4763: 
WordPress vulnerability analysis and mitigation

The Icon Widget WordPress plugin before version 1.3.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4763. The vulnerability was discovered and publicly disclosed on January 3, 2023. The issue affects the plugin's shortcode functionality where certain attributes are not properly validated and escaped before being output back to the page (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the Icon Widget plugin. Users with contributor-level permissions or higher can exploit this by injecting malicious JavaScript code through the shortcode attributes. A proof of concept exploit demonstrates this using the following payload: [icon_widget classes='" onmouseover="alert(1)"']. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79 (WPScan).

The vulnerability allows authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. These attacks could be used to target high-privilege users such as administrators, potentially leading to unauthorized actions being performed in their context (WPScan).

The vulnerability has been fixed in version 1.3.0 of the Icon Widget plugin. Site administrators should update to this version or later to protect against this security issue (WPScan).