CVE-2023-24411: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Kerry Kline BNE Testimonials WordPress plugin versions 2.0.7 and below. The vulnerability was identified on January 7, 2023, and publicly disclosed on January 27, 2023. This security issue affects WordPress installations using the vulnerable plugin versions (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned CVE-2023-24411. It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a slightly higher CVSS score of 6.5 (Medium) (NVD).

The vulnerability could allow a malicious actor with contributor-level access or higher to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when visitors access the affected site (Patchstack).

Users are advised to update to BNE Testimonials plugin version 2.0.8 or later to remediate this vulnerability. It's worth noting that the software is considered potentially abandoned as it hasn't received updates for over a year, and users should consider finding alternative solutions (Patchstack).