CVE-2023-23874: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Metaphor Creations Ditty WordPress plugin versions 3.0.32 and below. The vulnerability was identified on January 10, 2023, and was assigned CVE-2023-23874. The issue affects users with contributor-level privileges and above (Patchstack Advisory).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output in pages or posts where the shortcode is embedded. This security flaw has been assigned a CVSS score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database, WPScan).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack Advisory).

The vulnerability has been patched in version 3.0.33 of the Ditty plugin. Site administrators are advised to update to version 3.0.33 or later to remediate this security issue. Users of Patchstack can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack Advisory).