CVE-2023-3344: 
WordPress vulnerability analysis and mitigation

The Auto Location for WP Job Manager via Google WordPress plugin before version 1.1 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-3344. The vulnerability was discovered and publicly disclosed on July 3, 2023. The plugin fails to properly sanitize and escape certain settings, affecting WordPress installations using this plugin (WPScan).

The vulnerability exists due to improper sanitization and escaping of settings in the plugin. Specifically, in the 'WP Job Location' settings, the 'Google Map API Key' field is susceptible to XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. This is particularly significant in managed WordPress environments where multiple administrators may have access (WPScan).

The vulnerability has been fixed in version 1.1 of the Auto Location for WP Job Manager via Google plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).