CVE-2023-33216: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-33216) affects WooDiscuz – WooCommerce Comments WordPress plugin versions up to 2.2.9. This is an authenticated Stored Cross-Site Scripting (XSS) vulnerability that affects admin-level users. The vulnerability was discovered on May 19, 2023, and was patched in version 2.3.0 (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that occurs due to insufficient input sanitization and output escaping in the plugin's admin settings. The CVSS v3.1 base score is 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N according to NVD assessment. This vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. The impact is limited to installations where unfiltered_html has been disabled and multi-site installations (WPScan).

The vulnerability has been fixed in version 2.3.0 of the WooDiscuz – WooCommerce Comments plugin. Users are advised to update to version 2.3.0 or later to remove the vulnerability (Patchstack).