CVE-2023-2899: 
WordPress vulnerability analysis and mitigation

CVE-2023-2899 affects the Google Map Shortcode WordPress plugin through version 3.1.2. The vulnerability was discovered and publicly disclosed on May 25, 2023. The plugin fails to properly validate and escape certain shortcode attributes before outputting them back in the page (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically occurs when the plugin fails to properly sanitize shortcode attributes, and it only works if the WordPress database is compatible with utf8generalci collate (WPScan, NVD).

The vulnerability allows users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as administrators. This could potentially lead to unauthorized access to sensitive data or execution of arbitrary actions with elevated privileges (WPScan).

As of the latest available information, there is no known fix for this vulnerability in the Google Map Shortcode plugin (WPScan).