CVE-2022-4764: 
WordPress vulnerability analysis and mitigation

The Simple File Downloader WordPress plugin through version 1.0.4 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on January 25, 2023. The plugin fails to properly validate and escape certain shortcode attributes before outputting them back in pages or posts where the shortcode is embedded (WPScan).

The vulnerability exists due to improper validation and escaping of shortcode attributes in the plugin. Users with contributor-level permissions or higher can exploit this by injecting malicious JavaScript code through the shortcode attributes, which gets stored and executed when the content is viewed. The vulnerability has been assigned a CVSS score of 6.8 (Medium) and is classified as CWE-79: Cross-Site Scripting. A proof of concept demonstrates that an attacker can inject malicious code using the media-downloader shortcode's class attribute (WPScan).

When successfully exploited, this vulnerability allows authenticated users with contributor privileges or higher to store and execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser session (WPScan).

As of the vulnerability disclosure, there is no known fix available for this issue. Website administrators using the Simple File Downloader plugin version 1.0.4 or lower should consider either removing the plugin or implementing additional security controls to restrict access to post creation and editing capabilities (WPScan).