CVE-2023-28776: 
WordPress vulnerability analysis and mitigation

An unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the I Thirteen Web Solution Continuous Image Carousel With Lightbox WordPress plugin versions 1.0.15 and below. The vulnerability was identified on January 21, 2023, and publicly disclosed on March 27, 2023 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 7.1 (HIGH) from Patchstack and 6.1 (MEDIUM) from NIST. The vulnerability exists due to improper sanitization and escaping of certain parameters before they are output back to users (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

Users are advised to update to version 1.0.16 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).