CVE-2023-0891: 
WordPress vulnerability analysis and mitigation

CVE-2023-0891 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin Stagtools versions below 2.3.7. The vulnerability was discovered and publicly disclosed on April 5, 2023. This security issue affects WordPress installations using the vulnerable versions of the Stagtools plugin (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the Stagtools plugin. When these attributes are output back in a page or post where the shortcode is embedded, it creates a stored XSS condition. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79 (Cross-site Scripting). The vulnerability specifically affects users with contributor role and above who can exploit this through shortcode manipulation (WPScan).

The vulnerability allows users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, the attacker can inject malicious JavaScript code that executes in the context of other users' browsers when they view the affected page (WPScan).

The vulnerability has been fixed in Stagtools version 2.3.7. Website administrators running affected versions should update to the latest version immediately to mitigate this security risk (WPScan).