CVE-2023-0043: 
WordPress vulnerability analysis and mitigation

The Custom Add User WordPress plugin through version 2.0.2 contains a Reflected Cross-Site Scripting vulnerability, identified as CVE-2023-0043. The vulnerability was publicly disclosed on February 2, 2023, and affects the plugin's handling of user input parameters (WPScan, NVD).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79). The CVSS v3.1 base score is 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows attackers to execute cross-site scripting attacks, potentially leading to unauthorized access to sensitive information or manipulation of web content (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the Custom Add User WordPress plugin version 2.0.2 or earlier should consider implementing additional security measures or potentially removing the plugin until a patch is available (WPScan).

The vulnerability was initially discovered and reported by security researcher Shreya Pohekar (WPScan).