CVE-2023-28621: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Wishfulthemes' Raise Mag and Wishful Blog WordPress themes. The vulnerability affects Raise Mag versions up to 1.0.7 and Wishful Blog versions up to 2.0.1. The issue was reported by László Radnai on March 20, 2023, and was publicly disclosed on September 5, 2023 (Patchstack Raise, Patchstack Blog).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 7.1 (High) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, while NIST assigned a score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited by unauthenticated attackers (Patchstack Raise).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack Raise).

No official fix is currently available for either theme. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack Raise).