CVE-2023-1259: 
WordPress vulnerability analysis and mitigation

The Hotjar plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-1259) affecting versions up to and including 1.0.15. The vulnerability was discovered in the plugin's hotjarsiteid parameter and was publicly disclosed on October 5, 2023. This security issue impacts WordPress installations using the affected versions of the Hotjar plugin (WPScan, NVD).

The vulnerability stems from insufficient sanitization and escaping of plugin settings, specifically in the hotjarsiteid parameter. This security flaw could be exploited by high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS score of 4.4 (medium severity) (WPScan).

The vulnerability allows high-privilege users to inject and store malicious JavaScript code that executes when other users access affected pages. This is particularly concerning in multisite WordPress installations where the unfiltered_html capability is typically restricted (WPScan).

The vulnerability has been patched in version 1.0.16 of the Hotjar plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).