CVE-2023-23898: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in CreativeThemes Blocksy Companion plugin versions 1.8.67 and earlier. The vulnerability was assigned CVE-2023-23898 and was first reported on January 19, 2023, with public disclosure following on January 27, 2023. This security issue affects WordPress installations using the vulnerable versions of the Blocksy Companion plugin and requires contributor or higher level privileges to exploit (Patchstack).

The vulnerability exists because the plugin does not validate and escape the class attribute of its blocksy_posts shortcode before outputting them back in a page/post where the shortcode is embedded. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a score of 5.5 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

This vulnerability could allow authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers could inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the affected pages (Patchstack).

The vulnerability has been fixed in version 1.8.68 of the Blocksy Companion plugin. Website administrators are advised to update to this version or later to remove the vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).