CVE-2023-33311: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the CRM Perks Contact Form Entries WordPress plugin versions 1.3.0 and below. The vulnerability was identified on May 22, 2023, and affects users with contributor-level permissions or higher (Patchstack).

The vulnerability stems from improper sanitization and escaping of the vx-entries shortcode attributes before their usage. This security flaw has been assigned CVE-2023-33311 and received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, WPScan).

The vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into posts or pages. This could potentially lead to the execution of malicious scripts when visitors access the affected pages (Patchstack).

The vulnerability has been patched in version 1.3.1 of the Contact Form Entries plugin. Users are advised to update to this version or later to remediate the security risk (WPScan).