CVE-2023-22715: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in the WP-CommentNavi WordPress plugin versions 1.12.1 and below. The vulnerability was reported on January 8, 2023, and publicly disclosed on January 17, 2023. This security issue affects the WP-CommentNavi plugin developed by Lester 'GaMerZ' Chan and requires administrator-level privileges to exploit (Patchstack Database).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (Medium) according to NVD, and 5.9 (Medium) according to Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, high privileges, and user interaction to exploit. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If exploited, this vulnerability could allow an authenticated administrator to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These malicious scripts would then be executed when guests visit the affected site (Patchstack Database).

The vulnerability has been fixed in version 1.12.2 of the WP-CommentNavi plugin. Users are advised to update to version 1.12.2 or later to remove the vulnerability. It's worth noting that the software appears to be abandoned, as it hasn't been updated for over a year, and users should consider replacing it with an alternative solution (Patchstack Database).