CVE-2023-2406: 
WordPress vulnerability analysis and mitigation

The Event Registration Calendar By vcita plugin (versions up to 1.3.1) and Online Payments – Get Paid with PayPal, Square & Stripe plugin (versions up to 3.9.1) for WordPress contain a Stored Cross-Site Scripting vulnerability. The vulnerability was discovered on February 2, 2023, and was publicly disclosed on June 2, 2023. These plugins are used by approximately 400 active installations combined (Jonh Blog).

The vulnerability stems from insufficient input sanitization and output escaping in the plugins' handling of the 'email' parameter. The affected plugins add a poorly protected endpoint to set connection parameters for the vcita account connection. These variables are stored in the database without proper validation and are later inserted into the website without adequate sanitization. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) (Wordfence).

When successfully exploited, this vulnerability allows authenticated attackers with edit_posts capability (contributors and above) to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (CVE Mitre).

The vendor released security updates on June 12, 2023, to address these vulnerabilities. Users should update the Event Registration Calendar By vcita plugin to a version newer than 1.3.1 and the Online Payments plugin to a version newer than 3.9.1 (Jonh Blog).