CVE-2023-23491: 
WordPress vulnerability analysis and mitigation

The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting (XSS) vulnerability in the 'category' parameter of its 'qemajaxcalendar' action. The vulnerability was discovered in January 2023 and assigned CVE-2023-23491 (NVD, Tenable Advisory).

The vulnerability exists because the plugin does not sanitize and escape the category parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting vulnerability. The issue is present in the function 'qemshowcalendar()' of the file 'legacy/quick-event-manager.php'. The vulnerability has a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it requires user interaction but no privileges for exploitation (WPScan).

If exploited, this vulnerability could be used against high privilege users such as administrators. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability. The vulnerability has a changed scope, meaning it can affect resources beyond its restricted scope (Tenable Advisory).

The vulnerability has been fixed in version 9.7.5 of the Quick Event Manager WordPress plugin. Users should update to this version or later to mitigate the risk (WPScan).