CVE-2023-2600: 
WordPress vulnerability analysis and mitigation

The Custom Base Terms WordPress plugin versions prior to 1.0.3 contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-2600. The vulnerability was discovered and publicly disclosed on May 22, 2023. The issue affects the plugin's settings functionality, specifically impacting WordPress installations where the plugin is active (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings, which allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This vulnerability is particularly concerning in multisite setups where the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 3.5 (low) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows high-privilege users to inject malicious JavaScript code into the plugin settings. The stored XSS payload remains persistent and executes when other users access the affected pages. This could potentially lead to client-side attacks against other administrative users (WPScan).

The vulnerability has been patched in version 1.0.3 of the Custom Base Terms plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk. If immediate updating is not possible, limiting administrative access to trusted users can help reduce the risk of exploitation (WPScan).