CVE-2023-23871: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-23871) affects the WordPress Button plugin versions 1.1.23 and below, involving an Authenticated (Administrator+) Stored Cross-Site Scripting (XSS) vulnerability. The issue was initially reported on January 10, 2023, and was publicly disclosed on May 12, 2023 (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, falling under the CWE-79 category (Improper Neutralization of Input During Web Page Generation). It has received varying CVSS scores, with the NVD assigning a base score of 4.8 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. However, the vulnerability requires administrator-level access to exploit, which significantly limits its potential impact (Patchstack).

The vulnerability has been fixed in version 1.1.24 of the WordPress Button plugin. Users are advised to update to version 1.1.24 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).