CVE-2023-0268: 
WordPress vulnerability analysis and mitigation

CVE-2023-0268 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Mega Addons For WPBakery Page Builder WordPress plugin versions below 4.3.0. The vulnerability was discovered and publicly disclosed on April 17, 2023, by security researcher Lana Codes (WPScan).

The vulnerability exists because the plugin fails to properly validate and escape certain shortcode attributes before outputting them back in a page or post where the shortcode is embedded. This vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability can be exploited through the vc_testimonial shortcode by injecting malicious JavaScript code into its attributes (WPScan).

This vulnerability allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers can inject and execute malicious JavaScript code that will be stored on the website and executed when other users view the affected page (WPScan).

The vulnerability has been fixed in version 4.3.0 of the Mega Addons For WPBakery Page Builder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).