CVE-2023-2709: 
WordPress vulnerability analysis and mitigation

The AN_GradeBook WordPress plugin through version 5.0.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups. This vulnerability was discovered and reported by Bob Matyas, and was publicly disclosed on June 19, 2023 (WPScan Advisory).

The vulnerability exists in the plugin's settings functionality where input fields are not properly sanitized or escaped. When adding a new course in the plugin settings, all fields are vulnerable to XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Cross-Site Scripting (NVD).

The vulnerability allows authenticated administrators to inject and execute malicious JavaScript code in the context of other users' browsers, even in environments where the unfiltered_html capability is disabled. This is particularly concerning in multisite WordPress installations where such restrictions are commonly implemented as security measures (WPScan Advisory).

As of the vulnerability disclosure, there is no known fix available for this vulnerability. Users should consider implementing additional security controls or evaluating alternative plugins until a patch is released (WPScan Advisory).