CVE-2023-2254: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Ko-fi Button WordPress plugin versions before 1.3.3. The vulnerability was publicly disclosed on April 25, 2023, and was assigned CVE-2023-2254. The issue affects the plugin's settings functionality, specifically impacting WordPress installations using the Ko-fi Button plugin (WPScan).

The vulnerability stems from improper handling of plugin settings, which could enable high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79. It aligns with the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows high-privilege users to inject malicious scripts through the plugin's settings, specifically in the 'Button Text' field. When exploited, the injected scripts would execute when users view pages containing the [kofi] shortcode (WPScan).

The vulnerability has been patched in version 1.3.3 of the Ko-fi Button plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).