CVE-2023-30487: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in ThimPress LearnPress Export Import plugin versions 4.0.2 and below. The vulnerability was identified on April 8, 2023, and publicly disclosed on April 17, 2023. This security issue affects WordPress installations using the vulnerable plugin versions (Patchstack).

The vulnerability stems from improper sanitization and escaping of the 'learn-press-export-file-name' parameter before it is output back to the page. This security flaw has been assigned CVE-2023-30487 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 7.1 (High) from Patchstack and 6.1 (Medium) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, WPScan).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when users visit the affected site, potentially compromising the security of high-privilege users such as administrators (Patchstack).

The vulnerability has been fixed in version 4.0.3 of the LearnPress Export Import plugin. Users are strongly advised to update to version 4.0.3 or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).