CVE-2023-32961: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2023-32961 is an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability affecting the Katie Seaborn Zotpress WordPress plugin versions 7.3.3 and earlier. The vulnerability was discovered and reported by LOURCODE on April 9, 2023, and was publicly disclosed on May 16, 2023 (Patchstack).

The vulnerability exists in the get_request_token function located in zotpress/lib/admin/admin.accounts.oauth.php. The issue stems from improper sanitization and escaping of a parameter before it is output back to the page. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) by Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NIST NVD).

This Cross-Site Scripting vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when users, particularly high-privilege users such as administrators, visit the affected pages (WPScan).

The vulnerability has been patched in version 7.3.4 of the Zotpress plugin. Website administrators are strongly advised to update to this version or later to resolve the security issue. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).