CVE-2023-0070: 
WordPress vulnerability analysis and mitigation

The ResponsiveVoice Text To Speech WordPress plugin before version 1.7.7 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-0070. The vulnerability was discovered and publicly disclosed on January 11, 2023, affecting the plugin's shortcode attribute handling functionality (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in pages or posts where the shortcode is embedded. The issue has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability can be exploited through malicious shortcode attributes, as demonstrated in the proof of concept: [responsivevoice_button voice=''); alert(1); ('] (WPScan).

This vulnerability affects users with contributor roles and above, allowing them to perform Stored Cross-Site Scripting attacks. The stored XSS nature of the vulnerability means that malicious scripts can be permanently stored on the target servers and executed when other users access the affected pages (WPScan).

The vulnerability has been fixed in version 1.7.7 of the ResponsiveVoice Text To Speech WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).