CVE-2023-0418: 
WordPress vulnerability analysis and mitigation

CVE-2023-0418 affects the Video Central for WordPress plugin through version 1.3.0. The vulnerability was discovered and publicly disclosed on March 28, 2023. The issue exists in the plugin's handling of shortcode attributes, which are not properly validated and escaped before being output in pages or posts (WPScan, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 6.8 (medium severity). It is categorized under CWE-79 and maps to OWASP Top 10 category A7: Cross-Site Scripting (XSS). The technical issue stems from the plugin's failure to properly validate and escape shortcode attributes before rendering them in pages or posts where the shortcode is embedded (WPScan).

The vulnerability allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks. This means malicious actors with appropriate access levels can inject and store malicious JavaScript code that executes when other users view the affected pages (WPScan).

As of the vulnerability disclosure, there is no known fix available for this issue. Users of the Video Central WordPress plugin should consider either removing the plugin or implementing additional access controls to restrict contributor access until a patch is released (WPScan).

The vulnerability was initially discovered and reported by security researcher Lana Codes (Twitter: @LanaCodes). The finding has been verified and documented in the WPScan Vulnerability Database (WPScan).