CVE-2023-3170: 
WordPress vulnerability analysis and mitigation

The tagDiv Composer WordPress plugin before version 4.2, which serves as a companion plugin for the Newspaper and Newsmag themes from tagDiv, contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on August 17, 2023, and was assigned CVE-2023-3170 (WPScan).

The vulnerability stems from improper validation and escaping of certain settings in the plugin. This security flaw allows users with administrative privileges to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N and is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability could allow authenticated administrators to store and execute malicious JavaScript code on the website, potentially affecting other users who view the compromised pages. This is particularly concerning in multisite WordPress installations where the unfiltered_html capability is typically restricted for security purposes (WPScan).

The vulnerability has been patched in version 4.2 of the tagDiv Composer plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).