CVE-2023-1575: 
WordPress vulnerability analysis and mitigation

The Mega Main Menu WordPress plugin versions up to 2.2.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Marco Wotschka and publicly disclosed on March 29, 2023. The plugin fails to properly sanitize and escape some of its settings, affecting installations where the plugin is active (WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's settings. This security flaw allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 5.5 (Medium) (WPScan).

When exploited, this vulnerability could allow authenticated attackers with administrator-level access to inject malicious scripts into the plugin's settings. These scripts would then be executed when other users access the affected pages, potentially leading to unauthorized actions being performed in the context of the victim's session (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Site administrators running affected versions of the Mega Main Menu plugin should consider implementing additional security controls or evaluating alternative menu plugins until a patch is released (WPScan).