CVE-2023-0274: 
WordPress vulnerability analysis and mitigation

CVE-2023-0274 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin URL Params versions below 2.5. The vulnerability was discovered and publicly disclosed on April 25, 2023. The issue affects users with contributor role and above who can exploit the vulnerability through shortcode attributes (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in a page or post where the shortcode is embedded. The vulnerability has been assigned a CVSS score of 6.8 (Medium) and is classified under CWE-79. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

This vulnerability allows attackers with contributor-level access or higher to perform Stored Cross-Site Scripting attacks by injecting malicious scripts through shortcode attributes. These scripts would then be executed when other users view the affected pages or posts (WPScan).

The vulnerability has been fixed in URL Params version 2.5. Users are advised to update their installations to this version or later to mitigate the risk (WPScan).