CVE-2023-0380: 
WordPress vulnerability analysis and mitigation

CVE-2023-0380 affects the Easy Digital Downloads WordPress plugin versions before 3.1.0.5. The vulnerability was discovered and publicly published on January 30, 2023. The issue exists in the plugin's block options functionality where input validation and escaping are not properly implemented (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked as CWE-79. The issue occurs when the plugin fails to properly validate and escape block options before outputting them back in a page/post where the block is embedded (NVD, WPScan).

This vulnerability allows users with contributor role and above to perform Stored Cross-Site Scripting attacks. The successful exploitation requires at least one Download to exist in the system for the issue to trigger (WPScan).

The vulnerability has been fixed in version 3.1.0.5 of the Easy Digital Downloads plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).