CVE-2023-23817: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in the WebArea | Vera Nedvyzhenko Simple PDF Viewer WordPress plugin versions 1.9 and below. The vulnerability was initially reported on January 9, 2023, and was publicly disclosed on February 17, 2023. The issue was assigned CVE-2023-23817 and affects users with contributor-level permissions and above (Patchstack).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output in pages or posts where the shortcode is embedded. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST and 6.5 (Medium) by Patchstack. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Patchstack).

The vulnerability could allow authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. This could enable malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads that would execute when visitors access the affected site (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects all versions of the Simple PDF Viewer plugin up to and including version 1.9 (WPScan).