CVE-2023-0926: 
WordPress vulnerability analysis and mitigation

The Custom Permalinks WordPress plugin was found to contain a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.6.0. The vulnerability was discovered and disclosed in August 2024, affecting the tag name functionality within the plugin. The issue stems from insufficient input sanitization and output escaping on tag names (CVE Mitre).

The vulnerability allows authenticated users with editor-level permissions or higher to inject arbitrary web scripts through tag names. These malicious scripts would execute whenever a user accesses an affected page, even when the 'unfiltered_html' capability is disabled. The issue was fixed in version 2.7.0 of the plugin, released on August 20, 2024 (WordPress Plugin).

When exploited, this vulnerability enables attackers with editor-level access to inject and execute malicious JavaScript code that affects any user viewing the compromised pages. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks against site visitors (CVE Mitre).

The recommended mitigation is to update the Custom Permalinks plugin to version 2.7.0 or later, which includes the security fix for this vulnerability. The fix was implemented through proper input sanitization and output escaping of tag names (WordPress Plugin).