CVE-2023-2634: 
WordPress vulnerability analysis and mitigation

The Get your number WordPress plugin through version 1.1.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on May 12, 2023. The plugin fails to properly sanitize and escape some of its settings, affecting WordPress installations using this plugin (WPScan).

The vulnerability exists due to improper input validation in the plugin's settings. High privilege users such as administrators can perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users with high privileges to store and execute malicious JavaScript code on the website. When exploited, this could lead to client-side attacks against other users who access the affected pages, potentially compromising their browser sessions or leading to further attacks (WPScan).

There is no known fix available for this vulnerability as of the last update. Users should consider implementing additional security controls or removing the plugin until a patch is available (WPScan).