CVE-2023-0491: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2023-0491 affects the Schedulicity – Easy Online Scheduling WordPress plugin versions 2.21 and below. The vulnerability was discovered and publicly disclosed on March 3, 2023, by security researcher István Márton. It is classified as a Stored Cross-Site Scripting (XSS) vulnerability that affects users with contributor-level permissions and above (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin. When these attributes are output back in a page or post where the shortcode is embedded, it creates an opportunity for stored XSS attacks. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. A proof of concept exploit involves using malicious code in the schedulenowbutton shortcode's bizkey attribute: [schedulenowbutton bizkey='" onmouseover="alert(1)" style="background:red;"'] (WPScan).

The vulnerability allows authenticated users with contributor-level access or higher to inject malicious JavaScript code into pages or posts. When other users view the affected pages, the injected code executes in their browsers, potentially leading to session hijacking, credential theft, or other malicious actions (WPScan).

As of the disclosure date, there is no known fix available for this vulnerability. Website administrators using the affected plugin should consider implementing additional access controls or temporarily disabling the plugin until a patch is released (WPScan).