CVE-2023-2711: 
WordPress vulnerability analysis and mitigation

CVE-2023-2711 affects the Ultimate Product Catalog WordPress plugin versions before 5.2.6. The vulnerability was discovered by Ilyase Dehy and Aymane Mazguiti and was publicly disclosed on June 5, 2023. This security issue exists in the plugin's settings functionality, where certain parameters are not properly sanitized and escaped (WPScan Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The security flaw stems from improper sanitization and escaping of plugin settings, particularly in the Categories section and product creation fields. The vulnerability is tracked as CWE-79 (NVD Database).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. This could potentially lead to the execution of malicious scripts in the context of other users' browsers (WPScan Advisory).

The vulnerability has been fixed in version 5.2.6 of the Ultimate Product Catalog plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).