CVE-2023-0644: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in PushAssist WordPress plugin versions 3.0.8 and below. The vulnerability was publicly disclosed on April 24, 2023, and was assigned CVE-2023-0644. The affected plugin, push-notification-for-wp-by-pushassist, lacks proper sanitization and escaping of various parameters, making it susceptible to XSS attacks targeting high-privilege users such as administrators (WPScan).

The vulnerability stems from improper parameter handling where various parameters are neither sanitized nor escaped before being output back in pages. The vulnerability has been classified as a Cross-Site Scripting (XSS) issue, categorized under OWASP Top 10 A7 and CWE-79. The severity of this vulnerability is rated as high with a CVSS score of 7.1 (WPScan).

This vulnerability could be exploited against high-privilege users such as administrators, potentially allowing attackers to execute malicious scripts in the context of the admin's browser session. The vulnerability affects multiple URLs within the plugin's admin interface, particularly in the account creation and notification sending functionalities (WPScan).

As of the vulnerability disclosure, no known fix has been released for this security issue. Users of the PushAssist WordPress plugin version 3.0.8 or below should consider implementing additional security measures or temporarily disabling the plugin until a patch becomes available (WPScan).