CVE-2023-0365: 
WordPress vulnerability analysis and mitigation

The React Webcam WordPress plugin through version 1.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-0365. The vulnerability was discovered on January 18, 2023, and publicly disclosed on February 21, 2023. This security issue affects the React Webcam WordPress plugin and poses a risk to WordPress installations using versions up to 1.2.0 (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin. When these attributes are output back in a page or post where the shortcode is embedded, they can be manipulated to execute malicious scripts. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified as CWE-79: Cross-Site Scripting. A proof of concept exploit involves using the shortcode with malicious attributes: [reactwebcam dir='" onmouseover="alert(1)" style="background:red;width:100px;height:100px;"'] (WPScan).

The vulnerability allows users with contributor role and above to perform Stored Cross-Site Scripting attacks. This means that malicious actors with contributor-level access can inject and store malicious scripts that will execute when other users view the affected pages (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Website administrators running the affected plugin should consider either removing the plugin or implementing additional security controls to restrict access to contributor-level capabilities (WPScan).