CVE-2023-3647: 
WordPress vulnerability analysis and mitigation

The IURNY by INDIGITALL WordPress plugin before version 3.2.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on July 24, 2023, and was assigned CVE-2023-3647. The plugin fails to properly sanitize and escape certain settings, potentially allowing high-privilege users such as administrators to perform Stored XSS attacks, even when the unfiltered_html capability is disabled, such as in multisite setups (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from insufficient input validation and output encoding in the plugin's settings fields, including Bubble Text, Header, Chat Text, and Button Text. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated users with high privileges to store malicious JavaScript code in the plugin's settings. When other users visit the affected pages, the stored malicious code executes in their browsers, potentially leading to session hijacking, defacement, or theft of sensitive browser data (WPScan).

The vulnerability has been fixed in version 3.2.3 of the IURNY by INDIGITALL WordPress plugin. Site administrators should update to this version or later to mitigate the risk (WPScan).