CVE-2023-1839: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-1839) affects Product Addons & Fields for WooCommerce plugin versions below 32.0.6. It is a Stored Cross-Site Scripting (XSS) vulnerability that allows high-privilege users such as administrators to perform XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability was discovered and publicly disclosed on April 24, 2023 (WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape some of its setting fields. The issue has been assigned a CVSS score of 3.5 (low) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability specifically affects the PPOM Fields section of the plugin where certain input fields lack proper sanitization (WPScan).

When exploited, this vulnerability allows administrators to inject malicious JavaScript code that will be executed when other administrators visit specific admin pages. This is particularly concerning in multisite setups where the unfiltered_html capability is typically restricted (WPScan).

The vulnerability has been fixed in version 32.0.6 of the Product Addons & Fields for WooCommerce plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).