CVE-2023-0173: 
WordPress vulnerability analysis and mitigation

CVE-2023-0173 affects the WPFunnels WordPress plugin versions below 2.6.9. The vulnerability was discovered and publicly published on January 11, 2023. This security issue allows users with contributor-level access and above to perform Stored Cross-Site Scripting (XSS) attacks through shortcode attributes (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the WPFunnels plugin. When these attributes are output back in a page or post where the shortcode is embedded, they can be manipulated to execute malicious JavaScript code. The vulnerability has been assigned a CVSS v3.1 score of 6.8 (medium severity) and is classified as CWE-79: Cross-Site Scripting (WPScan).

The vulnerability allows authenticated users with contributor privileges or higher to inject and execute arbitrary JavaScript code in the context of other users' browsers who view the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been fixed in WPFunnels version 2.6.9. Site administrators should update to this version or later to protect against this security issue (WPScan).