CVE-2023-32503: 
WordPress vulnerability analysis and mitigation

The GTmetrix for WordPress plugin versions 0.4.6 and below contain an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by researcher thiennv and was disclosed on May 9, 2023, receiving the identifier CVE-2023-32503. The issue affects the WordPress plugin GTmetrix for WordPress up to version 0.4.6 (Patchstack).

The vulnerability stems from improper sanitization and escaping of the report_id and event_id parameters before they are output back in the page. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.1 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a higher score of 7.1 (High) (NVD, WPScan).

The vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows attackers to inject malicious scripts that could be used for various malicious purposes, including redirects, unwanted advertisements, and other potentially harmful HTML payloads that execute when users visit the affected site (Patchstack).

The vulnerability has been patched in version 0.4.7 of the GTmetrix for WordPress plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).