CVE-2023-2399: 
WordPress vulnerability analysis and mitigation

The QuBot WordPress plugin versions before 1.1.6 contains an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2023-2399. The vulnerability was discovered by Rafael B. and publicly disclosed on May 22, 2023. This security issue affects the chat functionality of the QuBotChat WordPress plugin (WPScan, Patchstack).

The vulnerability stems from improper input filtering in the chat functionality, where user input is not properly sanitized before being stored and displayed on the user dashboard. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. It is classified as CWE-79: Cross-Site Scripting and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (NVD, WPScan).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts are then executed when visitors access the affected site. The impact is considered low to medium severity, but it could potentially affect user experience and security (Patchstack).

The vulnerability has been fixed in version 1.1.6 of the QuBotChat plugin. Website administrators are advised to update to this version or later to remediate the security issue. No alternative workarounds have been published (Patchstack).