CVE-2023-26529: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-26529) is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability affecting DupeOff.Com DupeOff WordPress plugin versions 1.6 and below. The vulnerability was discovered by Yash Kanchhal and was reported on February 11, 2023, with public disclosure on February 28, 2023 (Patchstack).

The vulnerability exists because the plugin does not properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed (for example in multisite setup). The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a score of 5.9 (Medium) (NVD, WPScan).

The vulnerability could allow malicious actors with administrative access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

As of the latest reports, there is no official fix available for this vulnerability. Given the low severity impact and the requirement of administrative access for exploitation, the vulnerability is considered to have low priority for patching (Patchstack).