CVE-2023-2298: 
WordPress vulnerability analysis and mitigation

CVE-2023-2298 affects the Online Booking & Scheduling Calendar for WordPress by vcita plugin versions 4.2.10 and below. The vulnerability was discovered on February 2, 2023, and was publicly disclosed on June 2, 2023, after the vendor released patches on June 12, 2023. This security issue impacts over 3,000 active installations with approximately 400,000 total downloads (Jonas Blog).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) with a CVSS score of 7.2 (High). The issue stems from an unprotected REST route endpoint used to set connection parameters for the vcita account connection. The vulnerability exists due to insufficient input sanitization and output escaping, where variables are stored in the database without validation and later inserted into the website without proper sanitation (Wordfence).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in users' browsers when viewing affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD).

Website administrators should immediately update to a version newer than 4.2.10 of the Online Booking & Scheduling Calendar for WordPress by vcita plugin. The vendor has released patches to address this vulnerability as of June 12, 2023 (Jonas Blog).