CVE-2023-22720: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-22720) affects the Robert Macchi WP Links Page WordPress plugin versions 4.9.3 and earlier. This is a Stored Cross-Site Scripting (XSS) vulnerability that affects users with contributor-level privileges and above (Patchstack). The vulnerability was discovered on January 12, 2023, and was publicly disclosed on April 19, 2023.

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) that occurs when the plugin fails to properly validate and escape certain shortcode attributes before outputting them back in a page or post where the shortcode is embedded. The vulnerability has received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 4.9.4 of the WP Links Page plugin. Users are advised to update to this version or later to remediate the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).