CVE-2023-2223: 
WordPress vulnerability analysis and mitigation

The Login rebuilder WordPress plugin before version 2.8.1 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-2223. The vulnerability was discovered and publicly disclosed on May 2, 2023, affecting the plugin's settings functionality. The issue stems from insufficient sanitization and escaping of certain plugin settings, which impacts WordPress installations, particularly in multisite setups (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 4.8 (Medium), vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the plugin's settings section. The issue affects high-privilege users such as administrators, even when the unfiltered_html capability is disabled (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The impact is particularly significant in multisite setups where the unfiltered_html capability is typically disallowed for security reasons (WPScan).

The vulnerability has been fixed in version 2.8.1 of the Login rebuilder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).

The vulnerability was initially discovered and reported by security researcher Taurus Omar (@TaurusOmar_). The issue was verified and documented in various security databases and platforms (WPScan).