CVE-2023-25059: 
WordPress vulnerability analysis and mitigation

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability was discovered in avalex GmbH avalex – Automatically secure legal texts plugin versions 3.0.3 and earlier. The vulnerability was identified and published on February 2, 2023, and was assigned the identifier CVE-2023-25059 (Patchstack).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 4.8 (MEDIUM) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability could allow a malicious actor with administrative privileges to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site (Patchstack).

The vulnerability has been fixed in version 3.0.4 of the avalex plugin. Users are recommended to update to version 3.0.4 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).