CVE-2022-3408 is a medium-severity vulnerability affecting the WP Word Count WordPress plugin version 3.2.3 and earlier. The vulnerability is a Cross-Site Scripting (XSS) flaw categorized under CWE-79. It arises because the plugin fails to properly sanitize and escape certain settings inputs. This deficiency allows users with high privileges, such as administrators, to inject malicious scripts into the plugin's settings interface. Notably, this XSS can be executed even when the WordPress 'unfiltered_html' capability is disabled, which normally restricts the ability to post unfiltered HTML content. The attack vector requires network access (AV:N), low attack complexity (AC:L), and high privileges (PR:H) with user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. Exploitation would typically involve tricking an admin user into interacting with a crafted input or interface element that triggers the malicious script, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress admin environment. There are no known exploits in the wild, and no official patches have been linked, indicating that mitigation may rely on plugin updates or manual code review and sanitization by site administrators.

For European organizations using WordPress sites with the WP Word Count plugin version 3.2.3 or earlier, this vulnerability poses a risk primarily to site integrity and confidentiality. An attacker with admin-level access could leverage this XSS flaw to execute arbitrary scripts, potentially stealing session cookies, modifying site content, or escalating privileges further. While the vulnerability requires high privileges to exploit, insider threats or compromised admin accounts could be leveraged. The impact is particularly relevant for organizations with sensitive or regulated data hosted on WordPress platforms, such as government agencies, financial institutions, healthcare providers, and e-commerce businesses in Europe. Exploitation could lead to data leakage, defacement, or unauthorized administrative actions, undermining trust and compliance with data protection regulations like GDPR. However, the lack of known active exploitation and the medium severity rating suggest the threat is moderate but should not be ignored, especially in environments where WordPress plugins are widely used and administrative access is shared or less tightly controlled.

European organizations should take the following specific actions to mitigate this vulnerability: 1) Immediately identify and inventory WordPress sites using the WP Word Count plugin version 3.2.3 or earlier. 2) Upgrade the plugin to the latest available version where the vulnerability is patched or apply vendor-provided fixes if available. 3) If no patch exists, implement manual input sanitization and escaping for plugin settings fields by modifying the plugin code or using security plugins that enforce input validation. 4) Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 5) Regularly audit WordPress user roles and permissions to minimize the number of high-privilege users. 6) Monitor WordPress logs and web traffic for unusual activity that could indicate attempted exploitation, such as unexpected script injections or admin interface anomalies. 7) Educate administrators about the risks of XSS and the importance of cautious interaction with plugin settings and external inputs. 8) Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting WordPress admin interfaces.