CVE-2023-0362: 
WordPress vulnerability analysis and mitigation

The Themify Portfolio Post WordPress plugin before version 1.2.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on January 19, 2023, and was assigned CVE-2023-0362. The issue affects the plugin's shortcode functionality where certain attributes are not properly validated and escaped before being output back in pages or posts (WPScan).

The vulnerability exists due to improper validation and escaping of shortcode attributes before they are output back in pages or posts where the shortcode is embedded. The issue has been assigned a CVSS score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability could allow authenticated users with contributor-level permissions or above to perform Stored Cross-Site Scripting attacks. When successfully exploited, the attacker could inject malicious JavaScript code that would execute in the context of other users' browsers when viewing the affected page (WPScan).

The vulnerability has been fixed in version 1.2.2 of the Themify Portfolio Post plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).