CVE-2023-0366: 
WordPress vulnerability analysis and mitigation

The Loan Comparison WordPress plugin before version 1.5.3 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2023-0366. The vulnerability was discovered on January 18, 2023, and publicly disclosed on January 25, 2023. This security flaw affects the plugin's shortcode functionality, potentially impacting WordPress installations using the vulnerable versions (WPScan, NVD).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in a page or post where the shortcode is embedded. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-Site Scripting) and can be exploited using malformed shortcode attributes, as demonstrated in the proof of concept: [loancomparison slider='" onmouseover="alert(1)"'] (WPScan).

The vulnerability allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, this could lead to the execution of arbitrary JavaScript code in the context of other users' browsers who view the affected pages, potentially compromising user sessions or leading to other malicious activities (NVD).

The vulnerability has been patched in version 1.5.3 of the Loan Comparison plugin. Website administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).