CVE-2023-0079: 
WordPress vulnerability analysis and mitigation

CVE-2023-0079 affects the Customer Reviews for WooCommerce plugin versions below 5.17.0. The vulnerability was discovered and publicly disclosed on January 24, 2023. This security issue impacts WordPress installations using the affected plugin versions (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that affects users with contributor-level permissions and above. The plugin fails to properly validate and escape certain shortcode attributes before outputting them in pages or posts where the shortcode is embedded. The affected attributes include color_brdr, color_bcrd, color_pr_bcrd, color_stars (fixed in 5.16.0), and color_ex_brdr, color_ex_bcrd (fixed in 5.17.0 for the reviews_grid shortcode). The vulnerability has been assigned a CVSS score of 6.8 (medium) (WPScan).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks through the manipulation of shortcode attributes. This could potentially lead to the execution of malicious JavaScript code in users' browsers when viewing affected pages (WPScan).

The vulnerability has been patched in version 5.17.0 of the Customer Reviews for WooCommerce plugin. Users are advised to update to this version or later to protect against this security issue. The fix was implemented in two stages, with some attributes being patched in version 5.16.0 and the remaining fixes included in version 5.17.0 (WPScan).