CVE-2023-1917: 
WordPress vulnerability analysis and mitigation

The PowerPress plugin for WordPress (CVE-2023-1917) contains a Stored Cross-Site Scripting vulnerability affecting versions up to and including 10.0. The vulnerability was discovered and disclosed in June 2023, impacting the plugin's shortcode functionality. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The security flaw exists in the plugin's shortcode implementation where user input is not properly sanitized before being stored and displayed (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD CVE).

A partial fix was released in version 10.0.1, followed by a complete patch in version 10.0.2 to address a discovered workaround. Users are strongly advised to update to the latest version of the plugin to protect against this vulnerability (NVD CVE).