CVE-2023-0099: 
WordPress vulnerability analysis and mitigation

The Simple URLs WordPress plugin versions before 115 contain a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-0099. The vulnerability was discovered on January 6, 2023, and publicly disclosed on January 17, 2023. This security issue affects the plugin's parameter handling in various pages, potentially impacting WordPress installations using the affected versions (WPScan).

The vulnerability stems from improper sanitization and escaping of certain parameters before they are output back in various pages. The issue has been assigned a CVSS score of 7.5 (High), indicating significant severity. The vulnerability is classified as CWE-79: Cross-Site Scripting. Multiple attack vectors have been identified, including parameters such as 'search', 'filter', 'post_id', and 'keyword' in the import-js.php file, as well as the 'link-search-input' parameter in the dashboard (WPScan).

The vulnerability could be exploited against high-privilege users such as administrators. Successful exploitation could allow attackers to execute arbitrary JavaScript code in the context of the targeted user's browser session, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been patched in version 115 of the Simple URLs plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).