CVE-2023-3129: 
WordPress vulnerability analysis and mitigation

The URL Shortify WordPress plugin before version 1.7.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on June 19, 2023, and was assigned CVE-2023-3129. The issue affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability stems from improper sanitization and escaping of settings fields in the plugin. This security issue allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users with administrative privileges to store and execute malicious JavaScript code on the website. This could potentially affect other users viewing the affected pages, even in environments where unfiltered HTML is typically restricted, such as WordPress multisite installations (WPScan).

The vulnerability has been fixed in URL Shortify version 1.7.0. Users are advised to update to this version or later to mitigate the security risk (WPScan).