CVE-2024-22162: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in WPZOOM Shortcodes WordPress plugin, tracked as CVE-2024-22162. The vulnerability affects versions up to 1.0.5 and was discovered by Dhabaleshwar Das on December 17, 2023, and publicly disclosed on January 16, 2024. This security issue is present in the WPZOOM Shortcodes plugin and allows for reflected XSS attacks against WordPress installations using the vulnerable plugin versions (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.1 (Medium) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires no authentication to exploit, making it particularly concerning (NVD, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts would be executed when visitors access the compromised site. The attack requires user interaction to be successful, but could potentially lead to data theft or site defacement (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch until an official fix becomes available. The vulnerability affects versions up to 1.0.5, and users should monitor for updates from the plugin developer (Patchstack).