CVE-2023-25490: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Eric Teubert Archivist – Custom Archive Templates WordPress plugin versions 1.7.4 and below. The vulnerability was reported on February 1, 2023, and published on February 15, 2023. This security issue affects authenticated users with administrator privileges (Patchstack Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CVE-2023-25490. It received a CVSS v3.1 base score of 4.8 (MEDIUM) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a score of 5.9 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability could allow a malicious actor with administrator privileges to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Advisory).

The vulnerability has been fixed in version 1.7.5 of the plugin. Users are recommended to update to version 1.7.5 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack Advisory).

The vulnerability was initially reported by security researcher yuyudhn. Early warning was sent out to Patchstack customers on February 15, 2023, before the public disclosure on February 17, 2023 (Patchstack Advisory).