CVE-2023-0894: 
WordPress vulnerability analysis and mitigation

CVE-2023-0894 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Pickup | Delivery | Dine-in date time' versions 1.0.9 and below. The vulnerability was discovered and publicly disclosed on April 12, 2023. The affected plugin is also known as 'restaurant-pickup-delivery-dine-in' in the WordPress plugin repository (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings. Multiple form parameters in the plugin's general settings page are vulnerable to stored XSS attacks. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79: Cross-Site Scripting. The vulnerability can be exploited through the plugin's settings page at '/wp-admin/admin.php?page=byconsolewooodtrestro_general_settings' where multiple form parameters are susceptible to XSS payloads (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. When exploited, any administrator visiting the affected page would be targeted by the stored XSS payload (WPScan).

As of the vulnerability disclosure, there is no known fix available for this vulnerability. Website administrators using the affected plugin should consider implementing additional security controls or evaluating alternative solutions (WPScan).