CVE-2023-0937: 
WordPress vulnerability analysis and mitigation

CVE-2023-0937 affects the WordPress plugin VK All in One Expansion Unit versions below 9.87.1.0. The vulnerability was discovered and publicly disclosed on February 23, 2023, by security researcher Erwan LR from WPScan (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS score of 4.2 (medium severity). The security flaw exists because the plugin does not properly escape the $SERVER['REQUESTURI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. This vulnerability is categorized under CWE-79 and OWASP Top 10 A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability could allow attackers to execute malicious scripts in the context of the victim's browser session when using older web browsers, potentially leading to theft of sensitive information or manipulation of the web interface (WPScan).

The vulnerability has been fixed in version 9.87.1.0 of the VK All in One Expansion Unit plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).