CVE-2023-0605: 
WordPress vulnerability analysis and mitigation

The Auto Rename Media On Upload WordPress plugin before version 1.1.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-0605. The vulnerability was discovered and publicly disclosed on March 20, 2023. The issue affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings, which could allow high privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows high-privilege users to store and execute malicious JavaScript code through the plugin's settings interface. This could potentially affect other administrative users accessing the settings page, even in restricted environments where unfiltered HTML is typically not allowed (WPScan).

The vulnerability has been fixed in version 1.1.0 of the Auto Rename Media On Upload plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).