CVE-2023-2026: 
WordPress vulnerability analysis and mitigation

The Image Protector WordPress plugin version 1.1 and below contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on June 19, 2023. The issue affects the plugin's settings page where high-privilege users can perform stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability stems from improper sanitization of plugin settings, specifically in the user agent check input field. The vulnerability has been assigned a CVSS score of 3.5 (Low) and is classified as CWE-79: Cross-Site Scripting. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows attackers with high-privilege access to store and execute malicious JavaScript code on the affected WordPress site. This is particularly concerning in multisite setups where the unfiltered_html capability is typically disallowed for security reasons (WPScan).

As of the vulnerability disclosure, there is no known fix available for this issue. Site administrators should consider disabling the plugin until a security patch is released or implement additional access controls to limit administrative access to trusted users (WPScan).