CVE-2023-30868: 
WordPress vulnerability analysis and mitigation

The CVE-2023-30868 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the Jon Christopher CMS Tree Page View WordPress plugin versions 1.6.7 and below. The vulnerability was discovered by LEE SE HYOUNG and publicly disclosed on April 20, 2023 (Patchstack).

The vulnerability occurs because the plugin does not properly sanitize and escape certain parameters before outputting them back in the page, which can lead to a Reflected Cross-Site Scripting attack. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The weakness is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (WPScan).

This vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when users visit the site. The attack could be used against high privilege users such as administrators (Patchstack).

The vulnerability has been fixed in version 1.6.8 of the CMS Tree Page View plugin. Users are advised to update to version 1.6.8 or later to remove the vulnerability. For users of Patchstack, a virtual patch is available to mitigate this issue by blocking any attacks until the update to a fixed version is completed (Patchstack).