CVE-2023-23892: 
WordPress vulnerability analysis and mitigation

The M Chart WordPress plugin versions 1.9.4 and below contain an authenticated Stored Cross-Site Scripting (XSS) vulnerability that affects users with contributor role and above. The vulnerability was discovered and disclosed on January 19, 2023, and was assigned CVE-2023-23892. The issue was fixed in version 1.10 of the plugin (Patchstack).

The vulnerability stems from insufficient sanitization and escaping of certain parameters in the plugin. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack has assigned it a slightly higher CVSS score of 6.5 (Medium). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could enable malicious actors to inject harmful scripts that execute when other users visit the affected pages, potentially leading to session hijacking, defacement, or other malicious activities (WPScan).

The recommended mitigation is to update the M Chart plugin to version 1.10 or later, which contains the security fix. For sites unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).