CVE-2023-25794: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in the Mighty Digital Nooz WordPress plugin versions 1.6.0 and below. The vulnerability was identified on January 6, 2023, and publicly disclosed on February 15, 2023. This security issue affects administrators and users with high privileges in WordPress installations (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, tracked as CVE-2023-25794. The security flaw exists because the plugin fails to properly sanitize and escape certain settings, potentially allowing high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has received a CVSS v3.1 base score of 4.8 (Medium) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD, WPScan).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered low severity due to the high privileges required for exploitation (Patchstack).

The vulnerability has been patched in version 1.7.0 of the Nooz plugin. Site administrators are advised to update to version 1.7.0 or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).