CVE-2023-0176: 
WordPress vulnerability analysis and mitigation

The Giveaways and Contests by RafflePress WordPress plugin before version 1.11.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on January 12, 2023, and affects users with contributor role and above. The issue stems from improper validation and escaping of shortcode attributes before they are output back in pages or posts where the shortcode is embedded (WPScan).

The vulnerability has been assigned CVE-2023-0176 with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The security flaw exists in the shortcode processing functionality where certain attributes are not properly validated and sanitized before being rendered back to users (NVD).

This vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. Successful exploitation could enable attackers to inject malicious web scripts or HTML that would execute in the context of other users' browsers when viewing affected pages (WPScan).

The vulnerability has been patched in version 1.11.3 of the Giveaways and Contests by RafflePress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).