CVE-2023-30473: 
WordPress vulnerability analysis and mitigation

CVE-2023-30473 is an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability affecting the YML for Yandex Market WordPress plugin versions 3.10.7 and below. The vulnerability was discovered by LEE SE HYOUNG and publicly disclosed on April 17, 2023. The issue was fixed in version 3.10.8 (Patchstack, WPScan).

The vulnerability stems from insufficient sanitization and escaping of the 'page' parameter before it is output back in the page. This vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NVD with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (WPScan).

The vulnerability could allow unauthenticated attackers to inject malicious scripts that could be executed against high-privilege users such as administrators. This could potentially lead to the execution of arbitrary web scripts when users interact with maliciously crafted links (Patchstack).

The recommended mitigation is to update the YML for Yandex Market plugin to version 3.10.8 or later. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).