CVE-2023-0376: 
WordPress vulnerability analysis and mitigation

The Qubely WordPress plugin before version 1.8.5 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on January 2, 2023, and was assigned CVE-2023-0376. The issue affects users with contributor role and above, as the plugin fails to properly validate and escape certain block options before outputting them in pages or posts where the block is embedded (WPScan, CVE Mitre).

The vulnerability exists in the block options functionality of the Qubely plugin, specifically in the Post Grid Gutenberg block. The issue stems from improper validation and escaping of Additional CSS class(es) input. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified under CWE-79, falling into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers can inject malicious JavaScript code that executes when other users view the affected page or post (WPScan).

The vulnerability has been fixed in Qubely version 1.8.5. Users are advised to update to this version or later to mitigate the security risk (WPScan).