CVE-2023-28418: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Mediciti Lite WordPress theme versions 1.3.0 and below. The vulnerability was identified on March 15, 2023, and was assigned CVE-2023-28418. This security issue affects authenticated users with subscriber-level privileges or higher (Patchstack).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back to the page, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The severity has been assessed with a CVSS v3.1 base score of 5.4 (Medium) according to Patchstack's evaluation, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. However, WPScan rates it with a higher CVSS score of 7.1 (High) (WPScan, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is particularly concerning as the software is considered abandoned, having not received updates for over a year (Patchstack).

As no official fix is available, the primary recommendation is to remove and replace the Mediciti Lite theme with an alternative solution. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website owners can also implement the Patchstack security solution for immediate vulnerability mitigation (Patchstack).