CVE-2022-4786: 
WordPress vulnerability analysis and mitigation

The Video.js WordPress plugin through version 4.5.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in December 2022 and was assigned CVE-2022-4786. The issue affects the plugin's shortcode functionality, where certain attributes are not properly validated and escaped before being output in pages or posts (WPScan).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79). The CVSS v3.1 base score is 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical issue involves the plugin's failure to properly validate and escape shortcode attributes before rendering them in pages or posts where the shortcode is embedded (NVD).

The vulnerability allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of malicious JavaScript code in users' browsers when viewing affected pages (WPScan).

As of the latest available information, there is no known fix for this vulnerability in the Video.js WordPress plugin. Website administrators using affected versions (4.5.0 and below) should consider either removing the plugin or implementing additional security controls to restrict access to shortcode usage (WPScan).