CVE-2023-31079: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Chris Roberts Tippy plugin versions 6.2.1 and below for WordPress. The vulnerability was identified on April 24, 2023, and assigned CVE-2023-31079. This security issue affects users with contributor-level permissions and above (Patchstack).

The vulnerability stems from the plugin's failure to properly validate and escape certain shortcode attributes before outputting them back in a page or post where the shortcode is embedded. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a score of 6.5 (Medium). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers could inject malicious scripts, including redirects, advertisements, and other HTML payloads that would execute when visitors access the affected site (WPScan).

Currently, there is no known official fix available for this vulnerability in the Tippy plugin (Patchstack).