CVE-2023-28785: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Yoast SEO: Local WordPress plugin versions 14.9 and below. The vulnerability was identified on March 24, 2023, and publicly disclosed on May 24, 2023. This security issue affects users with contributor-level access or higher privileges (Patchstack Report).

The vulnerability occurs because the plugin fails to properly sanitize and escape certain attributes before outputting them back into the page. This allows users with contributor-level privileges to inject arbitrary web scripts into pages and posts. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan, NVD).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected pages (Patchstack Report).

The vulnerability has been fixed in version 15.0 of the Yoast SEO: Local plugin. Users are advised to update to version 15.0 or later to remediate this security issue. Patchstack has also issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack Report).