CVE-2023-30877: 
WordPress vulnerability analysis and mitigation

The XML for Google Merchant Center plugin for WordPress, versions 3.0.1 and below, contains an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. This security issue was discovered in April 2023 and was assigned CVE-2023-30877 (Patchstack).

The vulnerability stems from improper sanitization and escaping of the page parameter before it is output back in the page. The issue has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (WPScan).

This Cross-Site Scripting vulnerability could allow attackers to inject malicious scripts that would be executed when users, particularly those with high privileges such as administrators, visit the affected pages. The successful exploitation could lead to unauthorized actions being performed on behalf of the victim users (WPScan).

The vulnerability has been fixed in version 3.0.2 of the XML for Google Merchant Center plugin. Users are strongly advised to update to this version or later to resolve the security issue (WPScan).