CVE-2023-26010: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-26010) is a Stored Cross-Site Scripting (XSS) vulnerability affecting WPMobile.App WordPress plugin versions 11.18 and below. The vulnerability was discovered and reported by Rio Darmawan, and was publicly disclosed on February 23, 2023. The issue affects high-privilege users such as administrators, particularly in multisite setups where the unfilteredhtml capability is disallowed ([Patchstack](https://patchstack.com/database/vulnerability/wpappninja/wordpress-wpmobile-app-android-and-ios-mobile-application-plugin-11-18-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability stems from the plugin's failure to properly sanitize and escape certain settings, which could allow high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The vulnerability has been assigned a CVSS 3.1 base score of 5.9 (Medium) and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered low severity due to the requirement of administrative privileges for exploitation (Patchstack).

The vulnerability has been fixed in version 11.19 of the WPMobile.App plugin. Users are advised to update to version 11.19 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).