CVE-2023-3492: 
WordPress vulnerability analysis and mitigation

The WP Shopping Pages WordPress plugin through version 1.14 contains multiple security vulnerabilities related to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). The vulnerability was discovered and publicly disclosed on July 17, 2023, and was assigned CVE-2023-3492. The plugin lacks proper CSRF protection mechanisms and has insufficient input sanitization and output escaping, affecting the WordPress plugin 'shopping-pages' (WPScan).

The vulnerability has a CVSS v3.1 base score of 6.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. The issue stems from missing CSRF checks and inadequate sanitization and escaping mechanisms. This allows attackers to execute stored XSS payloads through CSRF attacks when a logged-in administrator accesses a specially crafted page. A proof of concept involves making a logged-in admin access a page containing the code 'document.forms[0].submit();' (WPScan, NVD).

The vulnerability allows attackers to execute stored XSS payloads through CSRF attacks, potentially compromising the security of the WordPress installation when an administrator is logged in. This could lead to unauthorized actions being performed with administrative privileges (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the WP Shopping Pages plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).