CVE-2023-0360: 
WordPress vulnerability analysis and mitigation

The Location Weather WordPress plugin (versions before 1.3.4) contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-0360. The vulnerability was discovered and publicly disclosed on January 18, 2023. This security issue affects WordPress installations using the Location Weather plugin and specifically impacts users with contributor-level permissions and above (WPScan).

The vulnerability stems from improper validation and escaping of block options in the Location Weather plugin. When these block options are output back in a page or post where the block is embedded, it creates an opportunity for stored XSS attacks. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. The issue specifically relates to the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows authenticated users with contributor-level access or higher to inject malicious scripts into WordPress pages and posts through the Location Weather block options. These scripts are then executed when other users view the affected pages, potentially leading to unauthorized actions and data theft (CVE).

The vulnerability has been fixed in version 1.3.4 of the Location Weather plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).