CVE-2023-2995: 
WordPress vulnerability analysis and mitigation

The Leyka WordPress plugin before version 3.30.4 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-2995. The vulnerability was discovered on May 30th, 2023, and affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability stems from improper sanitization and escaping of settings in the plugin, specifically in the 'My Data' section. High-privilege users such as administrators can perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high-privilege users to inject malicious scripts into the plugin settings, specifically in the 'text of personal data usage Terms' or 'text of Terms of donation service' fields. When other users view these settings, the malicious scripts can be executed in their browsers (WPScan).

The vulnerability has been fixed in version 3.30.4 of the Leyka WordPress plugin. Users are advised to update to this version or later to mitigate the security risk. The issue was initially hot-fixed in version 3.30.3, but a proper fix was implemented in version 3.30.4 (WPScan).