CVE-2023-0171: 
WordPress vulnerability analysis and mitigation

The jQuery T(-) Countdown Widget WordPress plugin before version 2.3.24 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-0171. The vulnerability was discovered and publicly disclosed on January 12, 2023. The issue affects users with contributor roles and above, as the plugin fails to properly validate and escape certain shortcode attributes before outputting them in pages or posts where the shortcode is embedded (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the jQuery T(-) Countdown Widget plugin. When these attributes are output back in a page or post where the shortcode is embedded, it creates an opportunity for stored XSS attacks. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. A proof of concept exploit has been documented using the shortcode: [tminus t='2100-01-01' width='" onmouseover="alert(1)"'] (WPScan).

The vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who view the affected pages (WPScan).

The vulnerability has been fixed in version 2.3.24 of the jQuery T(-) Countdown Widget plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).