CVE-2023-25064: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Matteo Candura WP htpasswd WordPress plugin versions 1.7 and below. The vulnerability was identified on February 2, 2023, and requires administrator-level authentication to exploit (Patchstack).

The vulnerability has been assigned CVE-2023-25064 and received a CVSS v3.1 base score of 4.8 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If exploited, this vulnerability could allow an authenticated attacker with administrative privileges to inject malicious scripts into the website. These scripts could be used to create redirects, insert unwanted advertisements, or execute other HTML payloads that would affect visitors to the site (Patchstack).

As of the latest reports, no official fix has been made available for this vulnerability. The issue affects all versions of the WP htpasswd plugin up to and including version 1.7 (Patchstack).