CVE-2023-3356: 
WordPress vulnerability analysis and mitigation

The Subscribers Text Counter WordPress plugin before version 1.7.1 contains a Cross-Site Request Forgery (CSRF) vulnerability combined with a Stored Cross-Site Scripting (XSS) issue. The vulnerability was discovered on August 4, 2023, and affects the plugin's settings update functionality (WPScan).

The vulnerability stems from two main issues: First, the plugin lacks CSRF protection when updating its settings, and second, there is insufficient sanitization and escaping of input data. The vulnerability has been assigned a CVSS score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating that it requires user interaction but can be exploited remotely (NVD).

If successfully exploited, an attacker could trick an authenticated administrator into making unwanted changes to the plugin's settings through a CSRF attack. Additionally, due to the lack of proper input sanitization, this could lead to stored cross-site scripting, potentially allowing malicious scripts to be executed in the context of other users' browsers (WPScan).

The vulnerability has been fixed in version 1.7.1 of the Subscribers Text Counter plugin. Users are strongly advised to update to this version or later to protect against these security issues (WPScan).

The vulnerability was discovered and reported by security researcher Pallab Jyoti Borah. The issue was verified by the WPScan team and assigned CVE-2023-3356 (WPScan).