CVE-2022-4836: 
WordPress vulnerability analysis and mitigation

The Breadcrumb WordPress plugin versions prior to 1.5.33 contained a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4836. The vulnerability was discovered and publicly disclosed on January 11, 2023. The issue affects users with contributor-level permissions or higher who could exploit the plugin's shortcode functionality (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the Breadcrumb plugin. When these attributes are output back to the page, they could be manipulated to inject malicious JavaScript code. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified under CWE-79. A proof of concept exploit involves using the shortcode: [breadcrumb themes='" onmouseover="alert(1)"'] (WPScan).

The vulnerability allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. These attacks could be leveraged against high-privilege users such as administrators, potentially leading to unauthorized actions or data theft when an administrator views a page containing the malicious shortcode (WPScan).

The vulnerability has been patched in version 1.5.33 of the Breadcrumb plugin. Site administrators are advised to update to this version or later to mitigate the risk (WPScan).