CVE-2023-3650: 
WordPress vulnerability analysis and mitigation

The Bubble Menu WordPress plugin versions before 3.0.5 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-3650. The vulnerability was discovered by Dipak Panchal and publicly disclosed on July 17, 2023. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations where high-privilege users such as administrators are present (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability could allow authenticated users with high-level privileges to inject malicious JavaScript code into the website through the plugin's settings. This injected code would then be executed when other users visit the affected pages, potentially leading to session hijacking, credential theft, or other malicious actions (WPScan).

The vulnerability has been patched in version 3.0.5 of the Bubble Menu plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).