CVE-2023-23979: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Fullworks Quick Event Manager WordPress plugin versions 9.7.4 and below. The vulnerability was identified on January 20, 2023, and was assigned CVE-2023-23979. This security flaw affects the WordPress plugin Quick Event Manager and was resolved in version 9.7.5 (Patchstack, WPScan).

The vulnerability stems from improper sanitization and escaping of the 'yourname' parameter in the plugin. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received varying CVSS scores: a CVSS v3.1 base score of 6.1 (MEDIUM) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and a score of 7.1 (HIGH) from Patchstack with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability could allow unauthenticated attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The recommended mitigation is to update the Quick Event Manager plugin to version 9.7.5 or later, which contains the security fix. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).