CVE-2023-26541: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Alexander Suess asMember WordPress plugin versions 1.5.4 and below. The vulnerability was identified on February 24, 2023, and was assigned CVE-2023-26541. The security issue affects users with administrative privileges and stems from insufficient sanitization and escaping of certain parameters (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.9 (Medium) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L, while the NVD assessment rated it at 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (Patchstack).

The vulnerability could allow malicious actors with administrative access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue was initially reported by researcher Prasanna V Balaji on February 17, 2023, and an early warning was sent to Patchstack customers on February 24, 2023 (Patchstack).