CVE-2023-28415: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in XootiX Side Cart Woocommerce (Ajax) plugin versions 2.2 and below. The vulnerability was reported on March 15, 2023, and was publicly disclosed on June 28, 2023. This security issue affects WordPress installations using the vulnerable plugin versions and requires administrator or higher privileges to exploit (Patchstack).

The vulnerability stems from improper validation and escaping of certain parameters in the plugin, which could allow users with admin privileges to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a score of 5.9 (Medium) (WPScan, NVD).

The vulnerability could allow malicious actors with administrative access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 2.3 of the Side Cart Woocommerce plugin. Site administrators are advised to update to version 2.3 or later to remove the vulnerability. The issue is considered low priority, and virtual patching is deemed unnecessary (Patchstack).