CVE-2023-23891: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the OceanWP Ocean Extra WordPress plugin versions 2.1.1 and below. The vulnerability requires the OceanWP theme to be installed and activated, and affects users with contributor-level permissions or higher. The vulnerability was disclosed on February 2, 2023, and was assigned CVE-2023-23891 (WPScan, Patchstack).

The vulnerability exists in the plugin's oceanwp_breadcrumb shortcode, where the class attribute is not properly escaped before being output in a page or post. This allows authenticated users with contributor privileges or higher to inject malicious scripts. The vulnerability has been assigned a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, WPScan).

If exploited, this vulnerability could allow attackers to inject malicious scripts, which could lead to various attacks including redirects, unwanted advertisements, and execution of arbitrary HTML payloads when users visit the affected site (Patchstack).

The vulnerability has been patched in version 2.1.2 of the Ocean Extra plugin. Site administrators are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).