CVE-2022-4973: 
WordPress vulnerability analysis and mitigation

WordPress Core versions up to 6.0.2 contain an Authenticated Stored Cross-Site Scripting vulnerability (CVE-2022-4973). The vulnerability was discovered and disclosed in August 2022, affecting all WordPress installations prior to version 6.0.2. The issue specifically impacts users with access to the WordPress post and page editor, including Authors, Contributors, and Editors (NVD).

The vulnerability is classified as an Authenticated Stored Cross-Site Scripting (XSS) issue that occurs when the the_meta() function is called on a page. It allows users with editor access to inject arbitrary web scripts into posts and pages. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 4.9 (Medium) from Wordfence, indicating moderate severity (NVD).

When exploited, this vulnerability allows authenticated users with post and page editor access to inject malicious scripts that execute when the the_meta() function is called. This could potentially lead to unauthorized actions being performed in the context of other users, including administrators, who view the affected pages (NVD).

The vulnerability was patched in WordPress version 6.0.2. Site administrators are strongly recommended to update to this version or later to protect against this security issue. The fix was also backported to all WordPress versions since 3.7 through security releases (WordPress Release).

The vulnerability was responsibly disclosed by John Blackbourn of the WordPress security team, who identified the output escaping issue within the the_meta() function. WordPress promptly addressed the vulnerability through a security release, demonstrating their commitment to maintaining platform security (WordPress Release).