CVE-2022-4792: 
WordPress vulnerability analysis and mitigation

The News & Blog Designer Pack WordPress plugin (CVE-2022-4792) contains a stored Cross-Site Scripting (XSS) vulnerability affecting versions before 3.3. The vulnerability was discovered on January 6, 2023, and allows users with contributor-level privileges or higher to perform stored XSS attacks through unvalidated shortcode attributes (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin. It has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-Site Scripting) and can be exploited using a malicious shortcode: [bdp_masonry grid='1" onmouseover="alert(1)" style="background:red;"'] (NVD, WPScan).

The vulnerability allows attackers with contributor-level access to inject malicious JavaScript code that executes in users' browsers when viewing affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been fixed in version 3.3 of the News & Blog Designer Pack plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).